-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Security Policy — Revalytics Inc.
# https://revalytics.ai/.well-known/security.txt
# Conforms to: https://securitytxt.org/ (RFC 9116)

Contact: mailto:security@revalytics.ai
Contact: https://revalytics.ai/security
Expires: 2027-05-05T00:00:00.000Z
Preferred-Languages: en
Canonical: https://revalytics.ai/.well-known/security.txt
Policy: https://revalytics.ai/security

# ── Scope ────────────────────────────────────────────────────
# In scope:  *.revalytics.ai — web application, API endpoints, authentication
# Out of scope: Third-party integrations (ServiceTitan, Google, Meta, etc.)
#              Social media accounts, physical infrastructure

# ── What we want to hear about ────────────────────────────────
# • Authentication/authorization bypass
# • Data exposure or PII leakage
# • Cross-site scripting (XSS) or injection vulnerabilities
# • Insecure direct object references
# • Security misconfigurations

# ── Response commitment ───────────────────────────────────────
# • Acknowledgment within 72 hours
# • Status update within 7 business days
# • We will not pursue legal action for good-faith disclosures
# • We do not currently offer a bug bounty program

# ── Hiring ───────────────────────────────────────────────────
Hiring: https://revalytics.ai/about
-----END PGP SIGNED MESSAGE-----