# AIGuaratuba — Security Disclosure Policy
# RFC 9116 compliant
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@guaratuba.pr.gov.br
Contact: https://github.com/ankinow/CTt-Guaratuba-AI/security/advisories/new
Expires: 2027-06-30T23:59:59z
Preferred-Languages: pt-BR, en
Canonical: https://aiguaratuba.pages.dev/.well-known/security.txt

# Reporting a vulnerability
# If you discover a security issue in AIGuaratuba — Radar Local,
# please email security@guaratuba.pr.gov.br with:
#   1. Description of the issue and impact
#   2. Steps to reproduce (proof-of-concept preferred)
#   3. Affected components (frontend / api / pipeline / d1 / kv / vectorize)
#
# We commit to acknowledge reports within 72h and provide a
# remediation timeline within 7 days for P0/P1 issues.
#
# Scope:
#   - https://aiguaratuba.pages.dev (production)
#   - https://*.aiguaratuba.pages.dev (previews)
#   - api/llm/* endpoints (LLM_ADMIN_KEY protected)
#   - api/admin/* endpoints (ADMIN_API_KEY protected)
#
# Out of scope:
#   - DoS / DDoS attacks (handled by Cloudflare Bot Fight Mode)
#   - Third-party services (OpenStreetMap, CartoDB, MapLibre)
#   - Publicly available civic data (Guaratuba Prefeitura/Câmara feeds)