Security
Security and provenance.
This page documents the public website security posture, responsible disclosure path, and build provenance artifacts for mindburn.org.
Disclosure
Report security issues to contact@mindburn.org. Do not include secrets or private customer data in public issues.
Public assistant
The assistant is source-bounded, citation-guarded, and unavailable rather than uncited when provider checks fail.
Supply chain
CI runs npm audit, registry signature checks, action pinning checks, CodeQL, and SBOM generation.
Privacy posture
The public site does not use cookies or advertising trackers. Optional web vitals are aggregate route-level metrics only.
Responsible disclosure
Email contact@mindburn.org with a concise description, affected URL, reproduction steps, and impact. We will acknowledge reports personally.
Use security.txt for machine-readable contact details.
Provenance artifacts
The public SBOM and provenance manifest are generated from the current package graph and vendored asset manifest.
Provider and subprocessors
The hosting provider may create ordinary request, security, and abuse-prevention logs. The assistant provider processes prompts transiently to answer public source-bounded questions. Contact form delivery uses the configured transactional email provider and does not store submissions in site storage.