# Maskr Security Policy
# https://securitytxt.org/

Contact: mailto:security@venin.space
Expires: 2026-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://maskr.app/.well-known/security.txt
Policy: https://maskr.app/security

# Scope
# All maskr.app subdomains and the main domain are in scope.

# Security Architecture
# - All file processing occurs client-side in the browser
# - No user files are transmitted to servers
# - Analytics (Plausible) and Ads (AdSense) require explicit user consent
# - Face detection uses local ML models, no external API calls
# - PDF redaction flattens pages to images, permanently destroying text

# Out of Scope
# - Denial of service attacks
# - Social engineering attacks
# - Physical attacks against infrastructure

# Acknowledgments
# We appreciate responsible disclosure. Researchers who report valid
# security issues will be acknowledged (with permission) on our site.