# LyDos — Responsible disclosure / Vulnerability reporting (RFC 9116)
# Updated 2026-05-14 (Sprint 36 Phase 6 — bug bounty live)

Contact: mailto:security@lydos.ailydian.com
Contact: mailto:security@ailydian.com
Contact: https://lydos.ailydian.com/security/responsible-disclosure
Expires: 2027-12-31T23:59:59Z
Encryption: https://lydos.ailydian.com/.well-known/pgp-key.asc
Preferred-Languages: en, tr
Canonical: https://lydos.ailydian.com/.well-known/security.txt
Policy: https://lydos.ailydian.com/security/responsible-disclosure
Acknowledgments: https://lydos.ailydian.com/security/acknowledgments

# Programmatic intake (preferred for security researchers):
#   POST https://lydos.ailydian.com/api/security/disclosure
#     Content-Type: application/json
#     Body: {title, severity_estimate, report, contact, pgp_fingerprint?, affected_url?, want_credit?}
#   Verify receipt: GET /api/security/disclosure/verify/{report_id}
# Response includes SHA-256 of the report body + a KSL acknowledgement
# (HMAC over report_id + sha256). You can prove your report was received
# at a given time even if email follow-up is delayed.

# Bounty tiers (USD; subject to scope + impact verification):
#   CRITICAL  RCE / RLS bypass / KSL bypass / full leak     5,000 - 25,000
#   HIGH      Auth bypass / SSRF / takeover / audit tamper  1,000 - 5,000
#   MEDIUM    Reflected XSS / scoped IDOR / critical CSRF   250 - 1,000
#   LOW       Best-practice / info-disclosure no impact     public credit only

# In scope:
#   - https://lydos.ailydian.com (production + dashboard)
#   - https://*.lydos.ailydian.com regional subdomains
#   - Public API endpoints under /api/* (excluding /api/admin/*)
#   - LyDos CLI (claude-code distribution channel)

# Out of scope:
#   - Denial of service / volumetric attacks
#   - Social engineering of LyDos / Ailydian staff
#   - Physical security of premises
#   - Third-party SaaS (Stripe, Google OAuth) — report upstream
#   - Vulnerabilities requiring root/physical device access