Security disclosure

Responsible reporting for p31ca.org, related Workers, and public repos under github.com/p31labs.

Where to report

Email: [email protected] — use subject line [security].
Machine-readable: /.well-known/security.txt

What to include

Affected URL or Worker host and reproduction steps
Impact assessment (data exposure, auth bypass, etc.)
Optional: patch or mitigation idea

Scope

In-scope: our static hub, configured Workers, and published packages. Out-of-scope: third-party dependency debates without a concrete exploit, social engineering against individuals, or denial-of-service load tests without prior agreement.

Policy

We do not operate a paid bounty program. We aim to acknowledge valid reports and ship fixes proportional to severity. Do not publicly disclose unresolved critical issues until we’ve had a reasonable window to patch.