# WagaWise security policy
# We're a small project; please be patient with response times.

Contact: mailto:hello@wagawise.com
Expires: 2027-05-19T05:28:54.004Z
Preferred-Languages: en, am
Canonical: https://wagawise.com/.well-known/security.txt

# What's in scope:
#   - The web app at https://wagawise.com
#   - The ingestion / cron endpoints under /api/cron/
#   - The admin endpoints under /api/admin/ (authentication is required)
#
# What's out of scope:
#   - Findings on third-party services (Vercel, Supabase, GitHub) — please
#     report those to the respective vendor directly.
#   - Denial of service / rate-limit bypass via distributed sources
#     (we acknowledge this is possible and have it on our v1.1 list).
#
# Disclosure: 90 days from initial report is the default coordination
# window. We'll respond within 7 days to acknowledge.