# Security policy for bronsonjob.com — RFC 9116
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:bronson@bronsonjob.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Canonical: https://www.bronsonjob.com/.well-known/security.txt
Policy: https://www.bronsonjob.com/legal/privacy

# Scope
# In-scope: bronsonjob.com, www.bronsonjob.com, *.bronsonjob.com,
#   the public Facts API at /api/v1/facts/*, the public Bronson Job
#   Index API at /api/v1/vancouver-special-index/*, /llms.txt, /codex,
#   /glossary, /transparency, /codex/diff, /codex/changelog/*,
#   /embed/v1/*, the MCP server at packages/mcp-bc-real-estate, and
#   the Verified-by-Bronson signature infrastructure under
#   /.well-known/{keys,codex-signature}.json.
#
# Out-of-scope: VOW-gated routes (/search, /search/*), auth-gated
#   routes (/account, /account/*, /auth/*, /admin/*), and the Repliers
#   listing-data fetch path. These contain MLS-licensed data subject
#   to the GVR VOW audit posture; security issues there should be
#   reported to BCFSA and to Repliers directly.

# Reporting preferences
# Please describe the issue, reproduction steps, and any proof-of-
# concept. We will acknowledge within 5 business days. We do not
# operate a bug bounty program, but we will credit researchers in
# the /transparency page if they consent.