Contact: mailto:security@rexa.one
Expires: 2027-05-19T00:00:00.000Z
Preferred-Languages: en, nl
Canonical: https://rexa.one/.well-known/security.txt
Policy: https://rexa.one/security/disclosure
Acknowledgments: https://rexa.one/security/researchers

# Rexa coordinated-disclosure policy
#
# Full policy: https://rexa.one/security/disclosure
# Hall of fame: https://rexa.one/security/researchers
#
# Quick version. Email security@rexa.one with:
#   - what you found (and where)
#   - how to reproduce it
#   - your name + handle so we can credit you (or "anonymous")
#
# We acknowledge within 1 business day, triage within 5, and work to
# a coordinated fix on a timeline scaled to severity. Safe-harbor
# applies to good-faith research per the policy linked above.
#
# Scope: rexa.one, app.rexa.one, staff.rexa.one, api.rexa.fly.dev,
# rexa-api.fly.dev, the iOS app (App Store bundle id one.rexa.ios),
# and the @rexa/* open-source packages on GitHub. Sub-processors are
# out of scope — report those to the upstream vendor.
#
# When we ship encrypted intake the Encryption: field below will be
# populated with the PGP key fingerprint. Until then, please send
# unencrypted reports to security@rexa.one — your inbound TLS hop
# protects the message in transit and the inbox is read by a small
# set of named people.
# Encryption: (pending — see policy page for status)