# Foothold — security disclosure policy (RFC 9116) # # Foothold is a solo-built, pre-launch Slack onboarding copilot for paid # communities. If you've found a security issue, please tell us before you # tell anyone else. We'll acknowledge within 48 hours and work with you on # a fix — we'd rather hear about a vulnerability from you than from an # operator whose paid workspace has already been touched. # # This file is served at two paths for RFC 9116 compliance: # https://foothold.community/.well-known/security.txt (canonical) # https://foothold.community/security.txt (legacy fallback) # Both carry identical content; either is a valid report channel. Contact: mailto:hello@foothold.community Contact: https://x.com/bitinvestigator Expires: 2027-04-23T00:00:00.000Z Preferred-Languages: en Canonical: https://foothold.community/.well-known/security.txt Canonical: https://foothold.community/security.txt Policy: https://foothold.community/install-preview.html # ------------------------------------------------------------------ # In scope # - foothold.community and any *.foothold.community subdomain # - the Slack OAuth install flow described at /install-preview.html # once it ships (Foothold is pre-launch — no production customer # data exists yet; reports on the install flow itself are still # welcome and will be treated as in-scope against the scope set # listed on /install-preview.html) # # Out of scope # - social profiles (the @bitinvestigator X account and any third- # party community mentions linking to the site) # - Slack itself, Caddy, Node.js, SQLite, and other upstream software # we run — please report those to their maintainers first; if the # advisory affects our installation, forward it to us and we'll # track remediation on our side # - our GitLab and domain-registrar accounts — report to those # providers directly; if you notify us we'll rotate credentials # # Rules of engagement # - please do not access, modify, exfiltrate, or destroy data that # isn't yours # - please cap automated scanning at roughly 1 request per second — # the VPS is shared with other pre-launch projects and scanner # noise is the dominant cost driver on the shared account # - please do not test against a real Slack workspace that isn't # your own; spin up a free Slack development workspace instead # (api.slack.com/apps allows unlimited ones) and exercise the # OAuth flow there # - if a test inadvertently touches data you didn't intend to reach, # stop, tell us, and we'll work out disclosure together # # Disclosure window # We ask for a 90-day embargo between your initial report and any # public writeup, extendable by mutual agreement if the fix isn't # ready. We will work with you on a timeline that reflects severity # and exploit complexity — we won't ambush you with "please keep it # private forever" after accepting a report. # # What you get # - an acknowledgement from a real human inside 48 hours, not an # auto-reply # - a written fix plan with a target shipping date, or a clear # explanation of why we've chosen to accept the risk and what # compensating controls are in place # - public credit on the site once the fix ships, with your name # and link of choice (or anonymous if you prefer) # - no bug bounty at this stage — we're pre-revenue, single operator; # this is explicitly a research-and-credit arrangement, not a paid # programme, and we'd rather be honest about that up front than # hint at a reward pool that doesn't yet exist. If Foothold reaches # revenue that can sustain one, this file will be updated and the # Policy line will change # # Safe harbour # Good-faith security research conducted under this policy will not # trigger legal action from us. If a third party (e.g. our hosting # provider, registrar, or upstream service) takes action against you # for something you reported to us in good faith, we will advocate # on your behalf and document the engagement publicly if that helps. # # ------------------------------------------------------------------ # Meta # Expires 2027-04-23 (one year from publication, per RFC 9116 §2.5.5). # This file will be refreshed before that date or rotated if contact # details change. Historic versions live in the git history of the # public landing repo.