Skip to main content

Security // Disclosure channel

Security & Responsible Disclosure

Good-faith security research can make this project safer. This policy defines the authorized reporting channel, research boundaries, and what you can expect after reporting a vulnerability.

Effective July 15, 2026
01

How to report

Send suspected vulnerabilities to contact@narrative-security.com with the subject “Security disclosure.” Include the affected URL or component, impact, reproduction steps, supporting evidence, and a safe way to contact you.

Do not include live secrets, unnecessary personal information, or data belonging to another person. If sensitive transfer is required, request an encrypted channel before sending the material.

02

In-scope systems

This policy covers systems operated for Narrative Security at narrative-security.com and directly associated project endpoints clearly identified as belonging to the project.

  • Authentication and authorization failures exposing restricted project routes.
  • Cross-site scripting, request forgery, injection, path traversal, or server-side request forgery with demonstrable impact.
  • Exposure of secrets, non-public source material, personal information, or writable storage.
  • Security-control bypasses that can be reproduced without disrupting the service or accessing third-party data.
03

Out-of-scope activity

The following activity is not authorized and should not be performed:

  • Denial of service, traffic flooding, destructive testing, resource exhaustion, or actions that degrade availability.
  • Social engineering, phishing, physical attacks, credential stuffing, or attacks against users, providers, or unrelated third parties.
  • Accessing, modifying, retaining, or disclosing data beyond the minimum necessary to demonstrate an issue.
  • Automated scanning at a volume that could affect service, and testing of Cloudflare or other provider infrastructure outside project configuration.
  • Reports limited to missing best-practice headers, version strings, theoretical concerns, or self-XSS without a credible security impact.
04

Good-faith research boundary

Use the minimum interaction necessary to confirm a vulnerability. Stop immediately if you encounter personal, confidential, production, or third-party data; do not copy it, and report the exposure. Do not establish persistence or pivot to another system.

Research consistent with this policy will be treated as authorized to the extent the operator can authorize it. This does not permit violations of law or third-party terms, and it does not bind third parties.

05

What to expect

A substantive report will normally be acknowledged within five business days. Validation, remediation priority, and disclosure timing depend on severity, reproducibility, project capacity, and dependencies.

Please allow a reasonable remediation period before public disclosure and coordinate publication details. Recognition may be offered with your consent, but this project does not currently operate a paid bug-bounty program.

06

Project security posture

The public deployment is intentionally separated from restricted implementation surfaces. Private routes fail closed unless an explicit access mechanism is enabled. Public demonstrations use synthetic or public data, and the site is not intended to hold client or employer information.

These controls reduce risk but do not make the project invulnerable. Responsible reports that identify a meaningful gap are welcome.

Questions or requests

Contact us and include the name of this policy in the subject line.

contact@narrative-security.com