# Crack the Optometry Boards Security Policy
# RFC 9116 Compliant Security.txt
# https://securitytxt.org/

# Contact information for security researchers
Contact: mailto:hi@OptometryBoards.com

# PGP key for encrypted communications (optional)
# Encryption: https://optometryboards.com/.well-known/pgp-key.txt

# Preferred languages for security reports
Preferred-Languages: en

# Canonical URL for this security.txt file
Canonical: https://optometryboards.com/.well-known/security.txt

# Policy page (if available)
# Policy: https://crackoat.com/security-policy

# Acknowledgments page for security researchers
# Acknowledgments: https://crackoat.com/security-thanks

# Expiration date for this file (must be updated annually)
Expires: 2026-12-31T23:59:59.000Z

# Hiring information (optional)
# Hiring: https://crackoat.com/careers

# ═══════════════════════════════════════════════════════════════════
# SECURITY DISCLOSURE GUIDELINES
# ═══════════════════════════════════════════════════════════════════
#
# Thank you for helping keep Crack the Optometry Boards and our users safe!
#
# Scope:
# - crackoat.com and all subdomains
# - Our web and mobile applications
# - Our API endpoints
#
# Out of Scope:
# - Third-party services (Stripe, PayPal, Vimeo, etc.)
# - Social engineering attacks
# - Physical security assessments
# - Denial of service attacks
#
# Responsible Disclosure:
# - Please allow up to 90 days for remediation
# - Do not access or modify user data
# - Do not disrupt service availability
# - Do not publicly disclose vulnerabilities before remediation
#
# We appreciate security researchers who:
# - Provide detailed reports with steps to reproduce
# - Allow reasonable time for remediation
# - Act in good faith to protect our users
#
# ═══════════════════════════════════════════════════════════════════