# QRCodeKey — security.txt (RFC 9116)
#
# Thank you for taking the time to look at QRCodeKey's security posture.
# If you have found a security vulnerability please follow the contact
# instructions below. We appreciate responsible disclosure and will
# acknowledge receipt within 48 hours and aim to ship a fix within
# 30 days for critical issues.

Contact: mailto:info.qrcodekey@gmail.com
Contact: tel:+1-708-690-0550
Expires: 2027-05-10T16:55:16.000Z
Encryption: https://qrcodekey.com/.well-known/security-pgp.txt
Preferred-Languages: en, hi, gu, es
Canonical: https://qrcodekey.com/.well-known/security.txt
Policy: https://qrcodekey.com/security
Acknowledgments: https://qrcodekey.com/security#hall-of-fame

# Out-of-scope (we appreciate the heads-up but these don't qualify):
#   - Reports on social-engineering staff or vendors (Stripe, MongoDB Atlas, etc.)
#   - Issues in third-party services (please report to them directly)
#   - Missing security headers without a clear exploit
#   - Self-XSS that requires a victim to paste code into their console
#   - Rate-limit reports without a working PoC at the API layer
#   - Outdated software versions that aren't actually vulnerable in our config
#   - Attacks requiring physical access to a victim's device
#
# In-scope (we definitely want to know):
#   - Authentication / authorisation bypass
#   - PII exposure of any user / member / visitor / finder
#   - GPS-coordinate leakage outside the recorded scan event
#   - SQL / NoSQL / command injection
#   - Stored or reflected XSS in any authenticated context
#   - SSRF, RCE, or any pre-auth vulnerability
#   - Data-subject-rights bypass (Section 9G of our Terms)
#   - Anything that would let one customer see another customer's data
#
# Please do NOT publicly disclose before we have had a reasonable chance
# to fix the issue. We will credit you (with your permission) on the
# Acknowledgments page above.