# Sentinel Risk Group LLC — security disclosure policy
# Reference: RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)
# Place this file at: /.well-known/security.txt

Contact: https://sentinelriskgrp.com/contact
Expires: 2027-04-28T21:27:59.000Z
Preferred-Languages: en
Canonical: https://sentinelriskgrp.com/.well-known/security.txt
Policy: https://sentinelriskgrp.com/security-policy

# Reporting guidance
# Use the /contact form to report a suspected vulnerability, data exposure,
# or security concern related to:
#   - sentinelriskgrp.com (this site)
#   - any AI Governance Shield deliverable, intake form, email, or Function
#   - the v3 PDF renderer Lambda (srg-v3-renderer)
#   - the render-deliverables, governance-chat, contact, support-chat,
#     verify, amazon-intake, governance-intake, evidence-upload, or
#     vc-intake CF Pages Functions
#
# Please include:
#   - URL or endpoint affected
#   - reproduction steps (if any)
#   - your assessment of severity
#   - whether you intend to publicly disclose, and on what timeline
#
# We commit to:
#   - acknowledge a valid report within 72 hours
#   - confirm or refute the issue within 14 calendar days
#   - coordinate a remediation timeline before any public disclosure
#
# Out of scope:
#   - rate-limit / DDoS reports against the public site (use your provider's process)
#   - reports against vendor services (Cloudflare, AWS, Postmark, Airtable, Make,
#     Stripe, Anthropic, GitHub, etc.) — please report directly to those vendors
#   - findings that depend on social engineering of Sentinel Risk Group personnel
#   - findings against legacy unpublished domains or test/staging environments