# Security Policy for gadspilot.com (RFC 9116)
# https://gadspilot.com/.well-known/security.txt

Contact: mailto:ceo@lws.fr
Contact: https://www.linkedin.com/in/nicolas-depredurand-518776b7/
Expires: 2027-04-22T00:00:00.000Z
Preferred-Languages: en, fr
Canonical: https://gadspilot.com/.well-known/security.txt
Policy: https://gadspilot.com/privacy
Acknowledgments: https://gadspilot.com/about

# How to report a security vulnerability
# 1. Email ceo@lws.fr with subject prefix "[SECURITY]"
# 2. Include : description, reproduction steps, impact assessment
# 3. We confirm receipt within 48h
# 4. Fix timeline depends on severity (critical: 7 days, high: 14 days, medium: 30 days)
# 5. Public disclosure : coordinated with the reporter, typically 60-90 days after fix
#
# We do NOT operate a paid bug bounty program at this time.
# Security researchers acting in good faith will be acknowledged publicly (if they wish).
#
# In scope :
# - gadspilot.com main app + all subdomains
# - MCP endpoints (/mcp, /mcp-gsc, /mcp-meta) — auth, OAuth, rate-limiting bypass
# - OAuth 2.1 implementation (RFC 7591, PKCE, RFC 8707)
# - Token storage encryption (AES-256-CBC at rest)
#
# Out of scope :
# - Social engineering of LWS staff
# - Physical attacks
# - DoS / resource exhaustion (we use Cloudflare-grade DDoS protection)
# - Issues in 3rd-party services (Google Ads API, Meta Graph API, OpenRouter)