# EpochPay (dkap-pay) — RFC 9116 security.txt
# https://epochpay.today/.well-known/security.txt

Contact: mailto:security@epochpay.today
Contact: https://epochpay.today/security
Expires: 2027-05-16T00:00:00.000Z
Encryption: https://epochpay.today/.well-known/pgp-key.txt
Preferred-Languages: en
Canonical: https://epochpay.today/.well-known/security.txt
Policy: https://epochpay.today/security
Acknowledgments: https://epochcorellc.com/trust
Hiring: https://epochpay.today/merchants

# In scope:
#   - https://epochpay.today/* (worker: dkap-pay)
#   - Receipt forgery, WORM chain tampering, authorization bypass on /v1/*
#
# Out of scope:
#   - Social engineering, DoS, physical access
#   - Third-party services (Cloudflare, Coinbase Base, Stripe)
#
# Triage SLA:
#   Critical: 24h · High: 72h · Medium/Low: 5 business days
#
# Coordinated-disclosure default: 90 days from triage.
# Good-faith research within stated scope is authorized
# and will not result in legal action by EpochCore LLC.