If you find a security issue in this site or the build pipeline:
- Email security@specification.website .
- Or open a GitHub Security Advisory.
Please do not open a public issue for security bugs.
- The hosted site at
https://specification.websiteand its subdomains. - The code in this repository (Astro source, GitHub Actions workflows, deployment configuration).
- Reports about missing security headers without a demonstrable impact — the site's headers are documented in
public/_headersand the relevant spec pages. - Reports generated solely by automated scanners with no proof of exploit.
- Social engineering attempts against maintainers.
- We will acknowledge a valid report within 3 business days.
- We will work with you on a fix and disclosure timeline.
- The disclosure window is typically 90 days from the acknowledgement, or sooner if a fix ships earlier.
Contributors who responsibly report security issues are credited in the project unless they prefer otherwise.
See also /.well-known/security.txt — the machine-readable version, per RFC 9116.