# TradeKit Security Disclosure
# RFC 9116 — https://datatracker.ietf.org/doc/html/rfc9116

Contact: mailto:kristan@kihtech.co.uk
Expires: 2027-06-01T00:00:00.000Z
Preferred-Languages: en
Canonical: https://tradekitapp.co.uk/.well-known/security.txt
Policy: https://tradekitapp.co.uk/terms.html

# We welcome reports of security vulnerabilities affecting TradeKit, including:
#   - Authentication or authorisation bypasses
#   - Data exposure (other users' tax/business data)
#   - Injection (XSS, SQL injection — though we don't run SQL, similar payload-based bugs)
#   - HMRC OAuth flow or token handling issues
#   - Two-Step Sign-in bypasses
#
# Please report to kristan@kihtech.co.uk with:
#   - Description of the vulnerability
#   - Steps to reproduce
#   - Affected URL/endpoint
#   - Optional: proof-of-concept payload (please do not exfiltrate other users' data)
#
# We aim to acknowledge reports within 2 working days and provide an initial
# assessment within 5 working days. We do not currently operate a paid bug
# bounty programme, but we credit responsible disclosure on request.
#
# Please do not publicly disclose vulnerabilities before we have had a
# reasonable opportunity to investigate and fix them (typically 30-90 days
# depending on severity).