# Liminal Consultants Group — Security Policy
# Published per RFC 9116. The firm's preferred path of first resort is
# coordinated, private disclosure to the contact listed below.

Contact: mailto:security@liminalconsultants.com
Expires: 2027-04-22T00:00:00.000Z
Preferred-Languages: en
Canonical: https://liminalconsultants.com/.well-known/security.txt
Acknowledgments: https://liminalconsultants.com/acknowledgments.html
Policy: https://liminalconsultants.com/legal.html#privacy

# Scope
#
# In scope: liminalconsultants.com and any subdomain whose origin server is
# operated by the firm. The static publication is the primary surface; the
# firm's client portals are scoped per-engagement and are not advertised
# from the marketing site.
#
# Reports concerning non-public infrastructure referenced in the firm's
# published terms — the Form XT-7 attestation workflow and the standing
# arrangements administered "beneath" the client-facing record — are
# in-scope where the report describes a leak of, or unauthorized access
# to, those references on the marketing surface itself. Do not test
# against production. Do not exfiltrate participant lists. Do not
# attempt to enumerate the unattended location.
#
# Out of scope: third-party CDNs (Tailwind, Google Fonts), denial-of-
# service testing, social engineering of partners or counsel, and any
# enquiry that would require the disclosing party to provide their own
# attendance record at a prior engagement.

# Acknowledgments
#
# The firm acknowledges responsible disclosure on the page above.
# Submissions received via proxy are accepted; the proxy is asked to
# forward the original submitter's reference number where one was
# issued at the time of observation.