# security.txt for leftwardlabs.com
# RFC 9116 · https://www.rfc-editor.org/rfc/rfc9116
#
# DEPLOYMENT NOTES:
# - Serve at BOTH:
#     https://leftwardlabs.com/.well-known/security.txt   (canonical, RFC 9116)
#     https://leftwardlabs.com/security.txt                (legacy fallback)
# - Must be served as `Content-Type: text/plain; charset=utf-8`.
# - Update `Expires` annually. A stale `Expires` makes the file invalid per spec.
# - If/when you publish a PGP key, host it at /.well-known/leftwardlabs-pubkey.txt
#   and add an `Encryption:` line below. Optional · fine to ship without one.

Contact: mailto:security@leftwardlabs.com
Expires: 2027-05-12T00:00:00.000Z
Preferred-Languages: en
Canonical: https://leftwardlabs.com/.well-known/security.txt
Policy: https://leftwardlabs.com/riftwords/security-policy.html

# Scope: the RiftWords mobile app (iOS, Android), leftwardlabs.com, and any
# Leftward Labs LLC subdomain. Out of scope: third-party SDKs (AppLovin,
# RevenueCat, etc.) · please report those to the vendor directly.
#
# What we ask:
#   - Give us 90 days before public disclosure.
#   - Don't access data that isn't your own. No automated scanning that
#     degrades service for other players.
#   - We'll acknowledge in <48h, give a status update within 7 days, and
#     credit you in release notes once a fix ships (unless you ask otherwise).
#
# Solo developer studio · patience appreciated.