# Security disclosure policy for Apex Platform / South Lodge # Per RFC 9116 (https://datatracker.ietf.org/doc/html/rfc9116) # # Filed: 2026-05-07 # Owner: james.underwood@live.co.uk # Source-controlled at: public/.well-known/security.txt # Primary contact for vulnerability reports. # Please include in your initial email: a clear description, repro steps, # expected vs actual behaviour, severity assessment (CVSS or your own), # and any PII you encountered (we'll need to log that exposure). Contact: mailto:security@southlodge.ai # Expiry — re-issue this file before this date (RFC 9116 §2.5.5 max-age # guidance: ≤ 1 year). Tracked by the secrets-rotation-watcher agent. Expires: 2027-05-07T00:00:00.000Z # Preferred languages for reports. Preferred-Languages: en # Canonical URL — proves this file's authenticity if you're cross-checking # discovery. RFC 9116 §2.5.4. Canonical: https://southlodge.ai/.well-known/security.txt # Disclosure policy — full coordinated-disclosure terms, scope (in / out # of scope), Safe Harbor language, response SLAs, and acknowledgements # policy. Policy: https://southlodge.ai/security/disclosure-policy.html # We do NOT yet operate a public bug bounty programme. Researchers who # follow the disclosure policy and don't violate the law / our customers' # privacy will receive a written acknowledgement and a Hall-of-Fame # entry at https://southlodge.ai/security/hall-of-fame.html . # Software Bill of Materials (CycloneDX 1.5 JSON) — published at the # stable URL below; regenerated from package-lock.json on every release. # Use this for supply-chain due diligence + CVE correlation. # Sbom: https://southlodge.ai/sbom.cyclonedx.json # This file is signed-by-deploy: any change here lands via a git commit # that goes through our pre-push gate (lint-staged + secrets scan + # RLS-claim canonical scan + naming guard) and is published only via a # verified Netlify deploy. There is no separate PGP signature today; # the supply-chain controls on the deploy pipeline are the integrity # anchor for now. RFC 9116 §2.3 makes the Encryption / Signature # fields optional.