Public bug-bounty program

[quickweb-stack]

Summary

Bug Bounty Program — Done

Files created

File | Description -- | -- SECURITY.md | Root security policy — scope, tiers, payouts, safe harbour, 90-day disclosure SLA landing/bug-bounty.html | Self-hosted program page — dark-themed, responsive, with payout table & contact landing/.well-known/security.txt | RFC 9116 machine-readable disclosure contact scripts/test-disclosure-pipeline.ts | Smoke-test: validates all artifacts, simulates a mock disclosure submission

Smoke test: 4/6 pass ✅

• 3 local file checks — all green
• 1 disclosure simulation — template printed, green
• 2 remote checks — expected failures (site not deployed yet; will pass post-deploy)

Before going live, you need to

1. Stand up security@turbolong.app inbox
2. Publish a PGP key at /.well-known/pgp-key.txt
3. Deploy landing/ to production, then re-run npx tsx scripts/test-disclosure-pipeline.ts — all 6 checks should pass
4. Add a "Security" footer link in both landing/index.html and frontend/index.html pointing to /bug-bounty

## Related Issue

Closes #88

Checks

• I read the contribution guide.
• I kept this pull request scoped to the linked issue.
• I ran the relevant local checks or explained why they were skipped.
• For Drips wave issues, I claimed the issue before opening this pull request.

Notes for Reviewers

[quickweb-stack]

Done, Close: #175

[drips-wave]

@quickweb-stack Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits