# MAN1K.XYZ — Security Policy
# RFC 9116 compliant

Contact: mailto:void@man1k.xyz
Expires: 2027-03-01T00:00:00.000Z
Preferred-Languages: en, ru
Canonical: https://man1k.xyz/.well-known/security.txt
Policy: https://man1k.xyz/.well-known/security-policy.txt

# -------------------------------------------------------
# man1k.xyz is a static artist website with no user
# accounts, no login system, and no payment processing.
#
# In scope for responsible disclosure:
#   - XSS / content injection in any page
#   - Service Worker cache poisoning
#   - Open redirect vulnerabilities
#   - Sensitive data exposure via JS/API endpoints
#   - Subdomain takeover or DNS misconfiguration
#   - CSP bypass
#
# Out of scope:
#   - Third-party embeds (Bandsintown, SoundCloud, Bandcamp)
#   - Social media accounts
#   - Denial of service attacks
#   - Issues requiring physical access to infrastructure
#   - Brute force against non-existent auth endpoints
#
# Please allow up to 72 hours for an initial response.
# We ask that you do not publicly disclose findings
# until we have had a reasonable opportunity to address them.
# -------------------------------------------------------