# security.txt — workoutgen.app
#
# Hey. We are two friends building WorkoutGen from France.
# One of us writes code. The other coaches people in real gyms.
# No VC, no big team — just us, trying to make personalized fitness
# free and accessible for as many people as possible.
#
# Our users are regular people trying to get healthier.
# Attacking this app means hurting them, not some faceless corporation.
#
# If you found a vulnerability — please tell us.
# We cannot pay bug bounties. What we can do:
#   - Fix it fast
#   - Credit you publicly on workoutgen.app/security/
#   - Write back personally (not a bot, not a template)
#
# We respond within 48 hours.
# We will not take legal action against good-faith security research.

Contact: mailto:security@workoutgen.app
Contact: https://workoutgen.app/security/
Expires: 2027-02-15T00:00:00Z
Preferred-Languages: en, fr
Policy: https://workoutgen.app/security/
Canonical: https://workoutgen.app/.well-known/security.txt

# What to include in your report:
#   - reproduction steps
#   - measurable impact
#   - affected URL or endpoint
#   - proof of concept or screenshots
#
# Please do not exfiltrate user data or disrupt the service.
# If you accidentally stumble on something sensitive, stop and tell us.
# We will handle it confidentially.