# RabbitX AI SalesOS — Security Disclosure Policy
# https://securitytxt.org/

Contact: mailto:security@rabbitxai.com
Contact: mailto:info@rabbitxai.com
Contact: https://lin.ee/uOCbxwR
Expires: 2027-05-19T00:00:00Z
Preferred-Languages: th, en
Canonical: https://rabbitxai.com/.well-known/security.txt
Policy: https://rabbitxai.com/security
Acknowledgments: https://rabbitxai.com/security#hall-of-fame

# === Responsible Disclosure Policy ===
#
# We welcome security researchers to test our infrastructure responsibly.
# Please report vulnerabilities privately before public disclosure.
#
# Scope:
#   - https://rabbitxai.com/*
#   - https://tamnoua.rabbitxai.com/*    (demo brand)
#   - LINE OA webhook integration
#   - Authentication / Session management
#   - PII handling (lead phone/email)
#
# Out of scope:
#   - Social engineering of staff
#   - Physical access attempts
#   - Denial of Service / load testing
#   - Spam / phishing of staff accounts
#   - Issues in 3rd-party services (LINE, OpenAI)
#
# Response SLA:
#   - Initial response: 48 hours
#   - Triage + classify: 7 days
#   - Critical fix: 14 days
#   - Other fix: 30-90 days
#
# Recognition:
#   - Public acknowledgment (with consent)
#   - Hall of Fame at /security#hall-of-fame
#   - Bug bounty rewards for critical findings (case-by-case)
#
# Please DO NOT:
#   - Test on production accounts you don't own
#   - Access, modify, or exfiltrate customer data
#   - Disrupt service for other users
#   - Disclose findings publicly before we fix them