# fremforge / frem.sh — security contact & coordinated disclosure.
#
# Overrides Forgejo's built-in default (which pointed only at the Forgejo
# project's security team, with no contact for THIS instance's operator).
# RFC 9116. Shipped in the forgejo-custom-public-root ConfigMap (alongside
# robots.txt) and mounted at /data/gitea/public/.well-known/security.txt;
# Forgejo serves it at /.well-known/security.txt (which the api proxy
# excludes, so it routes to Forgejo, not the api).
#
# security@frem.sh is a reserved address consolidated into the monitored
# compliance@ inbox (operator mail convention). Keep `Expires` < 1 year out
# and renew on review — an expired security.txt is treated as invalid.

Contact: mailto:security@frem.sh
Canonical: https://frem.sh/.well-known/security.txt
Preferred-Languages: en, da
Expires: 2027-05-30T00:00:00.000Z