Contact: mailto:security@curequest.io
Expires: 2027-04-25T00:00:00.000Z
Preferred-Languages: en, ko
Canonical: https://curequest.io/.well-known/security.txt
Policy: https://curequest.io/terms#section-4

# Reporting a vulnerability
# - Please don't disclose publicly until we've had 90 days to respond.
# - Include reproduction steps, the affected URL/endpoint, and any
#   proof-of-concept payload (sanitized).
# - We don't currently run a paid bounty, but we credit researchers in
#   release notes (with consent).

# Out of scope
# - Reports generated solely by automated scanners with no manual
#   triage.
# - Rate-limit findings on documented endpoints.
# - Self-inflicted issues (XSS via your own browser extensions, etc.).

# Acknowledged scope
# - All curequest.io subdomains.
# - The Next.js app served from app.curequest.io / curequest.io/app.
# - Public APIs under /api/*.