# FRB Agent — Security Policy
# RFC 9116 compliant security disclosure file
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@ai-frb.com
Expires: 2027-04-30T23:59:59.000Z
Preferred-Languages: en
Canonical: https://ai-frb.com/.well-known/security.txt
Policy: https://ai-frb.com/vulnerability
Acknowledgments: https://ai-frb.com/security
Hiring: https://github.com/FRB-Labs

# Scope
# This security policy applies to:
#   - ai-frb.com (and all subdomains)
#   - The FRB Agent Windows binary distributed via github.com/FRB-Labs/FRB-Agent
#   - Backend infrastructure used for telemetry and licensing
#
# Out of scope:
#   - Third-party RPC providers (Alchemy, QuickNode, BloXroute, etc.)
#   - Block builder / relay infrastructure (Flashbots, Jito, Titan)
#   - User wallets and self-custodied keys
#
# Disclosure expectations
# Please give us 90 days from initial report to remediate before public disclosure.
# We commit to acknowledging reports within 24 hours and providing a remediation
# timeline within 72 hours.