# Enode Vulnerability Disclosure Policy
# https://enode.com/.well-known/security.txt
# RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@enode.io
Expires: 2027-01-31T23:59:00.000Z
Preferred-Languages: en
Canonical: https://enode.com/.well-known/security.txt

# Policy
#
# Enode welcomes responsible disclosure of security vulnerabilities.
#
# If you believe you have found a vulnerability in our systems, please
# report it to security@enode.io. Include a description of the
# vulnerability, steps to reproduce, and any supporting evidence.
#
# We ask that you:
#   - Act in good faith to avoid privacy violations, data destruction, or disruption to our services
#   - Give us reasonable time to respond and remediate before any public disclosure
#   - Do not access or modify customer data
#   - Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
#
# We will:
#   - Acknowledge receipt within 3 business days
#   - Provide an initial assessment within 10 business days
#   - Keep you informed of remediation progress
#   - Credit reporters (with consent) when the issue is resolved
#
# Scope: All Enode-operated systems and services, including
#   - enode.com
#   - *.enode.io
#   - Enode API and OAuth endpoints
#
# Out of scope:
#   - Third-party services (AWS, Google Workspace, etc.)
#   - Social engineering or phishing attacks against Enode employees
#   - Denial-of-service attacks
#   - Issues in third-party dependencies with no demonstrated impact
#   - Missing security headers (CSP, X-Frame-Options, etc.) without demonstrated exploitability
#   - Clickjacking on pages with no sensitive actions
#   - CSRF on logout, login, or other non-state-changing actions
#   - Self-XSS (requires victim to paste code into their own browser)
#   - Missing cookie flags (Secure, HttpOnly) on non-session cookies
#   - Email configuration issues (SPF, DKIM, DMARC) without demonstrated spoofing impact
#   - Rate-limiting issues without demonstrated abuse scenario
#   - Disclosure of server versions or banners
#   - Theoretical vulnerabilities without working proof of concept
#   - Content injection without demonstrated security impact
#   - Open redirects unless chained with another vulnerability