# 5arz security disclosure (RFC 9116)
# ===================================================================
# If you've found a security issue with 5arz — site, contracts,
# infra, or anything else — please report it through the channels
# below. We won't take legal action against good-faith researchers.
# ===================================================================

Contact: mailto:security@5arz.com
Contact: mailto:andre@thatislumi.com
Expires: 2027-05-09T00:00:00.000Z
Encryption: https://5arz.com/.well-known/pgp-key.asc
Acknowledgments: https://5arz.com/security/hall-of-fame
Preferred-Languages: en
Canonical: https://5arz.com/.well-known/security.txt
Policy: https://5arz.com/security/policy
Hiring: https://5arz.com/builders

# In-scope:
#   - 5arz.com and all subdomains
#   - 5arz smart contracts on Base mainnet (post-launch)
#   - 5arz Bio-Bridge attestation service
#   - 5arz mobile + web wallet (post-launch)
#
# Out of scope:
#   - Third-party providers (Persona, Plaid, Method, Stripe) —
#     please report to them directly.
#   - DDoS / volumetric attacks (handled by Cloudflare).
#   - Reports generated by automated scanners without a working PoC.
#
# We aim to acknowledge reports within 24 hours and resolve
# critical issues within 72 hours.