# RFC 9116 — Blueberry Software AD security contact
#
# This file is published at https://blueberry.bg/.well-known/security.txt
# and mirrored verbatim at https://volts.live/.well-known/security.txt.
# The blueberry.bg copy is canonical.

Contact: mailto:security@blueberry.bg
Contact: https://blueberry.bg/security/
Expires: 2027-05-16T23:59:59Z
Encryption: https://blueberry.bg/.well-known/security-pgp.asc
Preferred-Languages: en, bg
Canonical: https://blueberry.bg/.well-known/security.txt
Policy: https://blueberry.bg/security/vulnerability-disclosure-policy/
Acknowledgments: https://blueberry.bg/security/hall-of-fame/
CSAF: https://blueberry.bg/.well-known/csaf/provider-metadata.json

# Scope:
# - All Volts AIoT Suite cloud services (volts.iot, volts.live, vpn.iot.volts.live)
# - All Volts Gateway hardware and firmware (HLK-7688A v1, HLK-7621A v2)
# - Volts mobile apps (com.blueberry.iot — iOS and Android)
# - Blueberry Software AD corporate infrastructure
#
# Out of scope:
# - Customer-controlled networks the gateway is deployed on
# - Third-party services we link to but do not operate
#
# SLA:
# - Initial acknowledgement: within 2 business days
# - Severity classification (CVSS 4.0): within 5 business days
# - Status update cadence: weekly until resolved
# - Coordinated disclosure window: 90 days from acknowledgement, extendable
#
# For actively-exploited vulnerabilities affecting product safety or
# customer data, we will pull-forward disclosure and patch shipping.