security.txt
The canonical vulnerability disclosure file is published at `/.well-known/security.txt` with contact, policy, language, and expiry fields.
Open security.txtSecurity process
Security reports have a public contact path.
Polis publishes RFC9116 security.txt, a public attack-surface packet, and no-cost review evidence so reports are routed without exposing secrets.
Report routing
Reports can be sent to security@socialmedia2.com or review@socialmedia2.com and are triaged without requesting secret values.
Review packet
The public review packet names routes, constraints, and no-paid-operation boundaries for independent reviewers.
Open review packetResponse window
Breach response targets containment within one hour, affected-citizen disclosure within 72 hours, and a public postmortem within 30 days.