# FreeSign — Security disclosure
# https://free-sign.com/.well-known/security.txt
# Spec: https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:support@coderai.dev
Contact: https://free-sign.com/support
Expires: 2027-05-18T00:00:00Z
Acknowledgments: https://free-sign.com/imprint#contact
Preferred-Languages: en
Canonical: https://free-sign.com/.well-known/security.txt
Policy: https://free-sign.com/imprint#terms

# Note: no Encryption: field is published yet — per RFC 9116 §2.5.4 it
# must reference an OpenPGP / S/MIME / age key reporters use to encrypt
# their submission, not a code-signing CA. When an encryption key is
# available it will be added; until then, please use the support form
# referenced from /imprint#contact (which is reached over HTTPS).

# Reports are read on a best-effort basis by the FreeSign team at
# Coder AI. Please follow the channel referenced from /imprint#contact
# and do not publicly disclose until we've had a reasonable window to fix.
#
# Out of scope: PDF content cannot be exfiltrated from FreeSign because
# the service never receives PDF bytes. Reports asserting otherwise will
# be triaged but typically reflect a misunderstanding of the architecture.