# Durianfun Security Policy
# RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116
#
# If you believe you've discovered a security vulnerability in
# Durianfun (frontend at https://durianfun.xyz or the smart
# contracts it interacts with on KUB Chain), please report it
# privately using the channels below. We commit to acknowledging
# legitimate reports within 48 hours.

Contact: https://t.me/durianfun
Contact: mailto:security@durianfun.xyz

Expires: 2027-04-18T00:00:00.000Z

Preferred-Languages: en, th

Canonical: https://durianfun.xyz/.well-known/security.txt

# What's in scope
#   - Smart contracts deployed by the Durianfun factories on KUB Mainnet
#     (Factory V4.5:  0xdf4f3dB298A9aDe853191F58b4b2a322D47EC005
#      CLOB V2.5:     0x1e963da022030D29D952e7e0c944F6bfAC50b0e7)
#   - This frontend (https://durianfun.xyz), including XSS, CSRF, auth
#     bypass, private-key exposure, wallet-drain vectors.
#
# What's NOT in scope
#   - Third-party wallets (MetaMask, OKX) — please report to the
#     respective vendor.
#   - Third-party AMMs routed through the UI (Udonswap, CMSWAP).
#   - Social-engineering, DoS, volumetric attacks on the public RPC.
#
# Please:
#   - Do not publicly disclose before we've had a chance to patch.
#   - Do not exfiltrate, modify, or destroy data beyond what is
#     strictly necessary to prove the vulnerability.
#   - Use testnet where possible. Mainnet PoC is allowed only if
#     necessary and only with amounts small enough to minimise
#     disruption to other users.