# Security policy for pharwiz.com
# RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:contact@pharwiz.com
Expires: 2027-05-08T00:00:00.000Z
Preferred-Languages: fr, en
Canonical: https://www.pharwiz.com/.well-known/security.txt
Policy: https://www.pharwiz.com/securite

# Pharwiz welcomes responsible disclosure of security vulnerabilities.
# Please email contact@pharwiz.com with a description of the issue,
# steps to reproduce, and any proof-of-concept material.
#
# We commit to:
#  - Acknowledge receipt within 5 working days
#  - Work in good faith with researchers acting responsibly
#  - Not pursue legal action against researchers who follow this policy
#
# In scope:
#  - https://www.pharwiz.com (frontend)
#  - https://api.pharwiz.com (backend API)
#  - Pharwiz scanner agent (Windows installer)
#
# Out of scope:
#  - Third-party services (Stripe, Resend, OVH, Scaleway)
#  - Social engineering of Pharwiz staff or pharmacy users
#  - Denial of service / volumetric attacks
#  - Physical attacks on infrastructure