# Zoza — Security Disclosure Policy
# https://zoza.world

Contact: mailto:security@zoza.world
Expires: 2027-04-11T00:00:00.000Z
Preferred-Languages: en
Canonical: https://zoza.world/.well-known/security.txt
Policy: https://zoza.world/about/transparency.html

# Scope
# - zoza.world (web client)
# - zoza-backend.fly.dev (API + WebSocket)
# - media.zoza.world (encrypted media CDN)
# - Mobile apps (iOS, Android)
# - Desktop apps (Windows, macOS, Linux)
#
# Out of scope
# - Social engineering
# - Physical attacks
# - DoS / volumetric attacks
# - Third-party services (Fly.io, Cloudflare, R2)
#
# Please report cryptographic weaknesses, key exchange flaws,
# session hijacking, or any path to plaintext access PRIVATELY
# before public disclosure. We aim to respond within 72 hours.