Responsible disclosure

Security & Vulnerability Reporting

Version 2.3.2 · Effective date: to be confirmed before production launch

Security approach

The service applies layered controls including HTTPS deployment, host and origin validation, content-security policy, secure administrator sessions, password hashing, CSRF protection, rate limiting, restricted HTTP methods, audit logging, least-privilege containers and backups.

Reporting a vulnerability

Report suspected vulnerabilities privately to the security contact published by the operator. Do not include sensitive personal data unless necessary. Provide the affected URL, reproducible steps, impact and supporting evidence.

Safe testing

Do not access other people's data, degrade service, use denial-of-service techniques, install persistence, exfiltrate information or publicly disclose an unresolved issue. Testing requires prior written authorisation unless a published vulnerability-disclosure policy states otherwise.

Response

The operator should acknowledge, triage, remediate and document security reports according to severity. This page does not create a financial reward or bug-bounty commitment.

Limit

No software or network can be made immune from attack. Security depends on the application, server configuration, patching, credentials, monitoring and operational practice.