XIPINOW SECURITY POLICY

1. Responsible disclosure: 90-day window before publication.
2. Bug bounty: $100 - $2,000 USDC depending on severity.
3. Out of scope: DoS, social engineering, physical attacks.
4. In scope: API auth bypass, audit log tampering, data leakage, RCE, SQL injection.
5. Audit logs hash-chained (SHA-256). Export available to paying customers via /v1/audit/export.
6. Webhooks signed HMAC-SHA256 with timestamp + replay window 5min.