Security Policy
Reporting a Vulnerability
Please report security issues via GitHub Private Vulnerability Reporting.
Do not open public issues for security reports.
Scope
This is a static Jekyll blog hosted on GitHub Pages. In-scope reports:
- Repository configuration (workflow permissions, action SHAs, secrets exposure)
- Site-served content (XSS via Markdown rendering, malicious redirects)
- Dependency vulnerabilities not surfaced by Dependabot
Out of scope: upstream theme issues — see Reverie.