# PilotCrew SAS — Security disclosure policy (RFC 9116)
# https://pilotcrew.io/.well-known/security.txt
# Last review: 2026-06-02
#
# We welcome responsible disclosure of security vulnerabilities affecting
# PilotCrew (pilotcrew.io) and any of its sub-domains, APIs, or services.
# Please use the contacts below — we acknowledge reports within 48 hours
# and triage to fix or risk-accept within 14 days.

Contact: mailto:security@pilotcrew.io
Contact: mailto:accipe.curtys@gmail.com
Contact: tel:+33768240059

Expires: 2027-06-02T00:00:00.000Z

Encryption: https://pilotcrew.io/.well-known/pgp-key.txt

Policy: https://pilotcrew.io/legal/security-disclosure

Preferred-Languages: fr, en

Canonical: https://pilotcrew.io/.well-known/security.txt

# Scope
# - In scope: pilotcrew.io and all sub-domains, public APIs, mobile/web clients
# - Out of scope: third-party sub-processors listed at /legal/subprocessors
#   (please contact them directly, e.g. security@anthropic.com,
#    security@vercel.com, security@supabase.com, etc.)
#
# Safe harbor
# Good-faith research that follows this policy will not result in legal
# action against the researcher. Avoid testing that disrupts the service
# for other users (DoS, data destruction, social engineering of staff).
#
# Identity
# PilotCrew SAS, SIREN 994 487 775, 229 Rue Saint-Honoré 75001 Paris.
# DPO: dpo@pilotcrew.io (RGPD Art. 28, breach SLA 72h per Art. 33).