Security Policy

We welcome reports from security researchers acting in good faith.

Scope

Anything served from ossreplace.com and its subdomains.

How to report

Email [email protected] with the subject line beginning [SECURITY]. PGP not required. Encrypted attachments accepted.

Safe harbor

We will not pursue legal action against researchers who: (a) make a good-faith effort to avoid privacy violations and service disruption, (b) only access the minimum data necessary to demonstrate the issue, (c) give us a reasonable time to remediate before public disclosure.

What is in scope

• Cross-site scripting in the static site templates
• Open redirects
• Subdomain takeover
• Information disclosure (server-side data appearing client-side)
• Misconfigured CORS / CSP / headers

What is out of scope

• Findings against third-party services we link to (report to those vendors directly)
• Missing best-practice headers without demonstrable impact
• Volumetric or denial-of-service attacks
• Social-engineering attempts against the operator

Acknowledgments

We will publicly thank reporters of valid issues here, with their permission.