# Luma PCOS Tracker — Security Vulnerability Reporting
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@luma-pcos.com
Contact: mailto:dpo@luma-pcos.com
Expires: 2027-05-10T00:00:00.000Z
Preferred-Languages: en, ar
Canonical: https://www.luma-pcos.com/.well-known/security.txt
Policy: https://www.luma-pcos.com/privacy

# Scope
# In scope:  *.luma-pcos.com, the Luma iOS app (com.lumapcos.app), and the Luma Android app (com.lumapcos.app)
# Out of scope: third-party services we use (Vercel, Supabase, Cloudflare, Zoho, Google, Apple, Meta) — please report to those vendors directly.

# What we ask of researchers
# - Give us a reasonable window to respond (we aim to acknowledge within 5 business days).
# - Do not access, modify, or delete data that does not belong to you.
# - Do not exfiltrate data beyond the minimum needed to demonstrate the issue.
# - Do not perform denial-of-service testing against production.
# - Do not use social engineering against our team or users.

# What we commit to
# - Acknowledge your report within 5 business days.
# - Provide an estimated timeline for remediation within 14 days.
# - Credit you in our security acknowledgments page if you wish.
# - Not pursue legal action for good-faith research within this scope.