# Security contact for hiretoby.com (Toby — Employee Relations OS)
# Format defined by RFC 9116. https://datatracker.ietf.org/doc/html/rfc9116

Contact: mailto:security@hiretoby.com
Expires: 2027-05-22T00:00:00.000Z
Preferred-Languages: en
Canonical: https://hiretoby.com/.well-known/security.txt
Policy: https://hiretoby.com/security
Acknowledgments: https://hiretoby.com/security#acknowledgments

# Please include reproduction steps and an affected URL.
# We respond within 1 business day and credit researchers in
# our security acknowledgments page on request.
#
# Out-of-scope:
#   - Marketing site clickjacking via X-Frame-Options (already DENY)
#   - Missing email DMARC/SPF on third-party domains we don't control
#   - Self-XSS that requires the user to paste payloads into their own console
#   - Theoretical attacks without proof of concept
#
# In-scope (highest priority):
#   - Cross-tenant data leakage (Postgres RLS bypass)
#   - Audit ledger tampering (SHA-256 chain integrity)
#   - Authentication / session bypass (WorkOS, magic link, passkey)
#   - SSRF, RCE, SQL injection, sensitive data exposure
#   - Integration credential decryption / KMS misuse