# XMR.WIN security contact (RFC 9116)
Contact: mailto:support@xmr.win
Expires: 2027-05-10T00:00:00Z
Preferred-Languages: en
Canonical: https://xmr.win/.well-known/security.txt
Policy: https://xmr.win/terms

# Scope
# - REST API (https://xmr.win/api/*)
# - WebSocket (wss://xmr.win/ws)
# - Web UI (https://xmr.win)
# - Wallet integration (Monero RPC bridge)
#
# Out of scope:
# - DDoS / volumetric attacks
# - Social engineering of operators
# - Issues already known/published in changelog
#
# Please include reproduction steps and PoC. Coordinated disclosure preferred.
# Bug bounty: case-by-case at operator discretion.