# Aviy security policy
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@aviy.ai
Expires: 2027-06-03T12:01:49Z
Preferred-Languages: en
Canonical: https://aviy.ai/.well-known/security.txt
Policy: https://aviy.ai/security-policy

# Out of scope
# - Denial of service attacks
# - Issues already disclosed publicly without a chance to fix
# - Findings from automated scanners without a working exploit
# - Self-XSS or social-engineering of staff

# In scope
# - Authentication / authorisation bypass on aviy.ai and *.aviy.ai
# - Data exposure (other users' invoices, clients, payments, etc.)
# - Stored XSS, CSRF, SSRF, RCE, SQLi
# - Webhook replay or signature bypass
# - Race conditions in financial flows

# Please give us a reasonable window to respond and patch before
# any public disclosure. We reply to every report within 72 hours.