# iTmethods Vulnerability Disclosure Policy
# RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116
# We welcome reports from security researchers and customers.

Contact: mailto:security@itmethods.com
Contact: https://itmethods.com/security
Expires: 2027-04-29T00:00:00.000Z
Encryption: https://itmethods.com/.well-known/pgp-key.txt
Preferred-Languages: en
Canonical: https://itmethods.com/.well-known/security.txt
Policy: https://itmethods.com/security
Hiring: https://itmethods.com/about

# Scope: itmethods.com and all *.itmethods.com subdomains, plus
# the iTmethods Fortress Family — Reign, Forge, BioCompute — and
# any infrastructure operated by iTmethods Inc.
#
# Out of scope: customer-tenant deployments operated under
# customer control; third-party SaaS we integrate with (please
# report directly to the vendor).
#
# Response targets:
#   - Acknowledgement: within 2 business days
#   - Initial triage: within 5 business days
#   - Resolution timeline: communicated within 10 business days
#
# Safe harbor: We will not pursue legal action against researchers
# who follow this policy in good faith. Please do not access,
# modify, or destroy customer data, do not run automated scans
# that disrupt service, and do not publicly disclose findings
# until we have had a reasonable opportunity to remediate.