# RFC 9116 — security.txt for MurmurHost
# https://murmurhost.com/.well-known/security.txt

Contact: mailto:legal@murmurhost.com
Contact: https://murmurhost.com/contact
Expires: 2027-05-18T14:09:30.644Z
Preferred-Languages: en
Canonical: https://murmurhost.com/.well-known/security.txt
Policy: https://murmurhost.com/legal/aup
Acknowledgments: https://murmurhost.com/about

# Vulnerability disclosure timeline:
#   * Initial response within 48 hours (typical < 12 hours during EU business hours)
#   * Triage and fix ETA within 5 business days
#   * Coordinated disclosure window: 90 days from initial report
#
# We DO NOT operate a paid bug bounty at this stage, but we credit researchers
# who report responsibly on the /about acknowledgments roll (with consent).
#
# In scope: https://murmurhost.com and *.murmurhost.com
# Out of scope: Customer-deployed services on customer VPS instances —
#   those are operated by the customer, not MurmurHost. Report security
#   issues affecting a specific customer's service to that customer directly.