# RFC 9116 security disclosure contact for oid4pay.com.
#
# Coordinated disclosure is welcome under the safe-harbor policy at the
# /security URL. Encrypt non-trivial reports with the team PGP key
# referenced by the Encryption line below.
#
# Acknowledgments and Hall of Fame are public at the Policy URL.
#
# PGP-signing procedure (operator runbook):
#   1. Generate the team key:
#        gpg --quick-generate-key 'security@oid4pay.com' ed25519 cert,sign 2y
#   2. Export the public block to /.well-known/security-pgp.asc.
#   3. Sign this file:
#        gpg --clearsign --output security.txt.signed security.txt
#      The clear-signed copy lives next to this file at
#      /.well-known/security.txt.signed.
#   4. Each rotation cadence (every 90 days), sign a fresh copy and
#      replace both files atomically. The clearsigned variant is the
#      RFC 9116 §3 PGP-signed presentation; this unsigned file remains
#      machine-parseable for crawlers.

Contact: mailto:security@oid4pay.com
Contact: https://oid4pay.com/security
Expires: 2027-05-21T00:00:00Z
Encryption: https://oid4pay.com/.well-known/security-pgp.asc
Preferred-Languages: en, nl, de, fr
Acknowledgments: https://oid4pay.com/security#acknowledgments
Canonical: https://oid4pay.com/.well-known/security.txt
Policy: https://oid4pay.com/docs/security/policy
Hiring: https://oid4pay.com/careers