# CoinKirin Security Disclosure Policy
# https://coinkirin.com/security
# RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure

Contact: mailto:security@coinkirin.com
Expires: 2027-04-19T00:00:00Z
Preferred-Languages: en, zh-Hans
Canonical: https://coinkirin.com/.well-known/security.txt
Policy: https://coinkirin.com/security
Acknowledgments: https://coinkirin.com/security#acknowledgments

# Please see our full responsible disclosure policy at /security.
# We aim to respond within 24h, triage within 72h, and fix Critical issues
# within 7 days, High within 30 days, Medium within 90 days.
#
# Scope:
#   - coinkirin.com and all subdomains
#   - Our public API (api.coinkirin.com/api/v1)
#   - Our Next.js web frontend
#   - Our Go backend services
#
# Out of scope:
#   - Denial-of-service / volumetric attacks
#   - Spam / social engineering
#   - Third-party services we do not control (Cloudflare, Resend, etc.)
#   - Missing security headers that do not lead to exploit
#
# Please do NOT:
#   - Access or modify user data beyond the minimum to demonstrate the issue
#   - Publicly disclose before coordinated fix (usually 90 days for High)
#   - Run automated scanners that generate sustained load