# Mnemom security.txt — RFC 9116
# See https://mnemom.ai/trust#disclosure for the full responsible-disclosure policy.

Contact: mailto:security@mnemom.ai
Expires: 2027-05-16T23:59:59Z
Preferred-Languages: en, fr, de, it, es
Canonical: https://mnemom.ai/.well-known/security.txt
Policy: https://mnemom.ai/trust#disclosure

# Disclosure timeline:
#  - We acknowledge within 3 business days.
#  - We confirm reproduction within 14 days.
#  - We commit to a fix or mitigation within 90 days of acknowledgment.
#  - Coordinated disclosure: 90 days from acknowledgment, or sooner if the
#    fix ships and customers are protected.
#
# Bug bounty:
#  - Scope: gateway, observer, control plane, SDKs (AAP/AIP), on-chain contracts.
#  - A formal bug bounty program is in scoping. Until launch, we run a
#    private good-faith disclosure process — eligible reports may receive
#    recognition in the public hall of fame at https://mnemom.ai/trust#hall-of-fame.
#  - Out of scope: rate-limiting, denial-of-service, social engineering,
#    physical, and third-party services (Cloudflare, Supabase, Stripe).
#
# In-scope domains:
#  - mnemom.ai, www.mnemom.ai
#  - app.mnemom.ai
#  - api.mnemom.ai, gateway.mnemom.ai
#  - trust.mnemom.ai, status.mnemom.ai
#  - docs.mnemom.ai
#
# Out-of-scope domains:
#  - Subdomains not listed above are out of scope by default.