# Security Policy for DomainOptic
# https://domainoptic.com/.well-known/security.txt
# Last updated: 2026-02-07

Contact: mailto:brenbuilds@protonmail.com
Expires: 2027-02-28T23:59:59.000Z
Preferred-Languages: en
Canonical: https://domainoptic.com/.well-known/security.txt

# About DomainOptic
# DomainOptic is a website security audit tool. We perform two types of scanning:
#
# 1. PASSIVE SCANNING (all users): Fetches publicly accessible content the same
#    way browsers do - HTML, JavaScript, HTTP headers, DNS records, SSL certificates.
#    No authentication bypass, no exploitation, no restricted area access.
#
# 2. ACTIVE SCANNING (Pro users only): The Ghost API Hunter checks ~50 well-known
#    paths (/.env, /.git, /actuator/env, etc.) for exposed configuration files.
#    Active scanning requires: paid Pro subscription, DNS TXT domain ownership
#    verification, and user attestation of authorization. Scans are rate-limited
#    (3 concurrent requests, 1s delays) and identify as:
#    User-Agent: DomainOptic Security Scanner/2.0 (https://domainoptic.com/scanner-info)
#
# For technical details, see: https://domainoptic.com/scanner-info

# Responsible Disclosure
# If you discover a security vulnerability in DomainOptic, please report it
# to us at brenbuilds@protonmail.com. We appreciate your help in keeping
# our users safe.

# Scope
# - domainoptic.com (main website)
# - api.domainoptic.com (API)
# - All subdomains of domainoptic.com

# Out of Scope
# - Third-party services we link to (registrars, etc.)
# - Social engineering attacks
# - Denial of service attacks

# Opt-Out
# Domain owners who wish to exclude their domain from being scanned may
# contact brenbuilds@protonmail.com. We maintain an exclusion list and
# honor removal requests within a reasonable timeframe.

# Acknowledgments
# We appreciate security researchers who help us improve. Thank you!