# BloodConnect Security Policy
# https://securitytxt.org/

Contact: mailto:security@bloodlinks.org
Contact: https://bloodlinks.org/security
Expires: 2027-01-12T00:00:00.000Z
Encryption: https://bloodlinks.org/.well-known/pgp-key.txt
Preferred-Languages: en, sw, pt, fr
Canonical: https://bloodlinks.org/.well-known/security.txt
Policy: https://bloodlinks.org/security-policy
Hiring: https://bloodlinks.org/careers

# Scope
# We welcome responsible disclosure of security vulnerabilities in:
# - bloodlinks.org (web application)
# - api.bloodlinks.org (API endpoints)
# - Mobile applications (iOS and Android)
#
# Out of Scope:
# - Third-party services and dependencies
# - Social engineering attacks
# - Physical security
# - Denial of Service attacks

# Acknowledgments
# We maintain a hall of fame for security researchers who have
# responsibly disclosed vulnerabilities:
# https://bloodlinks.org/security/acknowledgments

# HIPAA Notice
# BloodConnect handles Protected Health Information (PHI).
# Please handle any discovered vulnerabilities with extra care
# and do not access, modify, or exfiltrate any PHI during testing.