# Responsible Discovery Policy

AI App Exposure Desk is built around outbound public-surface readiness and responsible escalation.

## What The Agent Does

The agent uses passive methods:

- Public search API results.
- Public HTML.
- Response headers.
- `robots.txt`.
- Sitemap hints.
- Same-origin public static JavaScript bundles referenced by the page.
- Public contact, privacy, terms, support, and about pages for owner contact discovery.

Lead triage and outreach show broad categories and severity only. They do not display sensitive-looking values, exploit steps, private records, or exact abuse paths.

## What The Agent Does Not Do

- No login attempts.
- No password guessing.
- No brute force.
- No export or download clicks.
- No private API probing.
- No vulnerability exploitation.
- No credential extraction.
- No copying or retaining private records.

## Paid Public Surface Review

The paid public review remains outside-only. It can include exact public findings and safe snippets, but it still avoids exploitation, authentication attempts, export clicks, and private data access.

## Authorized Readiness Review

Any internal, authenticated, repository, config, cloud, database, Stripe, OAuth, or storage review requires written authorization with exact scope and timestamp before work begins.

## Language Rules

Use "public exposure signals" or "production-readiness risk." Do not use compromise claims unless public unauthenticated exposure has been confirmed with owner-safe evidence.