# PULSE security disclosure policy
# https://securitytxt.org/  (RFC 9116)

Contact: mailto:security@pulse-optimization.com
Contact: mailto:support@pulse-optimization.com
Expires: 2027-05-16T00:12:37Z
Encryption: https://www.pulse-optimization.com/.well-known/security.txt
Preferred-Languages: en
Canonical: https://www.pulse-optimization.com/.well-known/security.txt
Policy: https://www.pulse-optimization.com/terms.html

# Software Bill of Materials (CycloneDX 1.5). Updated on every release.
# Filename pattern: /api/sbom-<version>.json
# See /api/version.json for the current version.
# Acknowledgments: https://www.pulse-optimization.com/.well-known/security.txt

# Scope
#
# In scope:
#   - https://www.pulse-optimization.com  (the marketing + account site)
#   - https://pulse-account-api.valone-010.workers.dev  (Cloudflare worker)
#   - https://api.pulse-optimization.com               (custom domain alias)
#   - The PULSE desktop installer at /download/pulse-installer.exe
#     (Tauri 2 / Rust / NSIS — code in https://github.com/I-I-V/Pulse)
#
# Out of scope:
#   - Self-hosted instances modified by users
#   - Issues that require physical access to a victim's unlocked machine
#   - Social-engineering attacks on PULSE staff
#   - Anything in third-party services (Stripe, Supabase, Cloudflare,
#     Resend, BetterUptime) — please report those to the respective vendor
#
# We do not currently run a paid bounty program; we will publicly credit
# researchers (or anonymously, your choice) once a fix has shipped.