# HostStack — security disclosure policy
#
# We welcome responsible disclosure of security issues. If you've found a
# vulnerability in HostStack itself or in a customer service running on our
# infrastructure, please reach out at the contact below.
#
# Scope:
#   - hoststack.dev + subdomains
#   - HostStack-published npm packages (@hoststack.dev/sdk, /cli, /mcp)
#   - The agent runtime that runs customer containers
#
# Out of scope:
#   - Customer applications running on HostStack (report directly to the
#     customer; we forward unsigned reports to the affected team).
#   - DoS attempts (we ratelimit, please don't try).
#   - Spam / phishing / social engineering (not security findings).
#
# Please give us 90 days to fix before public disclosure. We respond
# within 24h on weekdays.

Contact: mailto:security@hoststack.dev
Contact: https://hoststack.dev/security
Preferred-Languages: en, da
Canonical: https://hoststack.dev/.well-known/security.txt
Policy: https://hoststack.dev/security
Expires: 2027-12-31T23:59:59Z