# CoDi Tennis (coaching.direct) - Security Policy # RFC 9116 - https://www.rfc-editor.org/rfc/rfc9116 Contact: mailto:security@coaching.direct Expires: 2027-05-15T00:00:00.000Z Preferred-Languages: en Canonical: https://coaching.direct/.well-known/security.txt Policy: https://coaching.direct/tennis/legal/privacy#11-notifiable-data-breaches # Scope # In-scope: coaching.direct and any subdomain (including the /tennis path). # Out-of-scope: third-party services we use (Stripe, Supabase, Resend, Vercel, # Sentry, Anthropic) - please report to those vendors directly. # Responsible disclosure # - Email security@coaching.direct with reproduction steps. # - Please give us a reasonable opportunity to fix before public disclosure # (typically 30 days for low-severity issues, 90 days for those requiring # coordinated remediation). # - We don't pay bug bounties at this time, but we will credit you in the # release notes for the fix unless you ask us not to. # - CoDi Tennis handles personal data about minors. Please prioritise reporting # anything that could expose a child's identity, location, or video footage. # What we will NOT pursue # - Good-faith security research that follows this policy. # - Reports for vulnerabilities found without disrupting other users' # accounts, exfiltrating real production data, or violating Australian # law.