# WhiteBooks security disclosure policy
# RFC 9116 — https://securitytxt.org/

Contact: mailto:security@whitebooks.in
Contact: https://whitebooks.in/about/contact-us
Expires: 2027-12-31T23:59:59.000Z
Encryption: https://whitebooks.in/.well-known/pgp-key.txt
Acknowledgments: https://whitebooks.in/changelog
Preferred-Languages: en, hi
Canonical: https://whitebooks.in/.well-known/security.txt
Policy: https://whitebooks.in/about/terms

# Scope: whitebooks.in, api.whitebooks.in, apisandbox.whitebooks.in,
# app.whitebooks.in, accounts.whitebooks.in.
#
# Out of scope: third-party services (GSTN portal, NIC e-Way Bill, IRP, ZATCA).
# Report upstream issues to those entities directly.
#
# Please report:
#   - Authentication, authorization, or session bypass
#   - Injection (SQL, XSS, SSRF, XXE, command, deserialization)
#   - Data exposure (PII, GSTIN data, IRN payload leaks)
#   - Cryptographic flaws (TLS, OAuth tokens, signature handling)
#   - Business-logic vulnerabilities affecting GST / IRP / NIC integrations
#
# DO NOT:
#   - Test against production GSTINs other than your own
#   - Run automated scanners that exceed 10 req/s
#   - Access data that doesn't belong to your account
#   - Publicly disclose before 90 days from acknowledgement
#
# We aim to acknowledge within 2 business days and patch high-severity
# issues within 30 days. Recognised reporters are listed in /changelog.