# Landscapes Directory — Security Policy
# https://landscapes.directory/

Contact: mailto:security@landscapes.directory
Contact: https://landscapes.directory/about
Expires: 2027-05-20T00:00:00.000Z
Preferred-Languages: en, fr
Canonical: https://landscapes.directory/.well-known/security.txt
Policy: https://landscapes.directory/about

# We welcome responsible disclosure of security issues affecting
# landscapes.directory. Please describe the issue, steps to reproduce,
# and your contact details. We aim to acknowledge reports within 72 hours.
#
# Out of scope:
#   - Issues in third-party museum APIs (Wikimedia, The Met, Cleveland, AIC)
#   - Reports against the public Supabase REST endpoint that already
#     enforces row-level security (anon role, read-only on works)
#   - Rate-limit testing against Vercel's edge network
#
# In scope:
#   - The console at console.landscapes.directory
#   - Any vulnerability allowing unauthorized data modification
#   - XSS / CSRF on the public site