# ZenoXCare Security Disclosure Policy — IETF RFC 9116
#
# Mirrored programmatically in the A2A agent card at
# /.well-known/agent.json (`policies` block) so peer agents can discover
# the same policy without scraping.

Contact: mailto:security@zenoxcare.com
Contact: https://www.zenoxcare.com/security/disclosure
Expires: 2027-12-31T23:59:59.000Z
Encryption: https://www.zenoxcare.com/.well-known/security-pgp.asc
Acknowledgments: https://www.zenoxcare.com/security/hall-of-fame
Preferred-Languages: en, en-GH
Canonical: https://www.zenoxcare.com/.well-known/security.txt
Policy: https://www.zenoxcare.com/security/disclosure
Hiring: https://www.zenoxcare.com/careers

# What's in scope
# - All hosts under www.zenoxcare.com, *.zenoxcare.com
# - Mobile applications published by ZenoXCare
# - Public APIs: /api/public/*, /.well-known/*, /api/v1/*
# - The Verification Network sandbox at /network/sandbox
# - The A2A agent surface at /.well-known/agent.json + /api/public/a2a/*
#
# Out of scope
# - Third-party services we depend on (Paystack, Twilio, Resend, Vercel,
#   Sentry) — please report directly to those providers.
# - Denial-of-service tests (use the sandbox + your own API key + your own
#   tenant; never run high-volume tests against production).
# - Social engineering of staff or partners.
#
# Disclosure timeline
# - Acknowledgement within 2 business days of report receipt.
# - Triage + initial severity within 5 business days.
# - Coordinated disclosure target: 90 days from confirmation, extendable
#   by mutual agreement for high-complexity issues.
#
# Safe harbor
# - We will not pursue legal action against researchers acting in good
#   faith, staying within scope, and following coordinated disclosure.
# - Please use the dedicated `security-research@zenoxcare.com` test
#   tenant when possible.

# Notes for AI / agent peers
# This file is also surfaced as `policies.securityContact` in
# /.well-known/agent.json so a peer agent can discover the same contact
# point via the A2A protocol.