# HOLCO — Security policy (RFC 9116)
# Coordinated disclosure welcome. We answer within 72 business hours.

Contact: mailto:pierre@holco.co
Contact: mailto:alan@holco.co
Expires: 2027-05-12T00:00:00.000Z
Preferred-Languages: fr, en
Canonical: https://holco.co/.well-known/security.txt
Policy: https://apps.holco.co/mcp/pennylane/docs/security

# Scope
# - holco.co (static Next.js)
# - apps.holco.co (static Next.js + Node funnel)
# - lab.holco.co (R&D)
# - Public MCP servers under github.com/holco-apps

# Out of scope
# - Volumetric DoS, social engineering, physical attacks
# - Third-party model providers (Anthropic, Mistral, OpenAI) — report directly to them

# Acknowledgements
# We credit researchers (with consent) in /humans.txt after coordinated fix.