🔐 Security

Found a Security Issue?

Thanks for taking the time to report it. We respond to every valid report within 48 hours.

How to report

Email security@traveloonie.com with reproduction steps, affected URLs, and (if relevant) a proof-of-concept. We accept reports in English. Our machine-readable contact file is at /.well-known/security.txt.

What's in scope

  • traveloonie.com — the public marketing and blog surface served by Cloudflare Pages.
  • The Cloudflare Pages proxy at /.netlify/identity and /.netlify/git, including its CORS and method handling.
  • The Decap CMS surface at /admin/, including authentication and content-edit flows.
  • Content Security Policy bypasses, header leakage, sub-resource integrity gaps, and other transport-level findings.

What's out of scope

  • Issues in Netlify Identity itself, GitHub Git Gateway, Google Analytics, or other upstream providers — please disclose to those vendors directly.
  • Self-XSS that requires opening DevTools and pasting your own payload.
  • Reports generated by automated scanners with no demonstrated impact.
  • Best-practice recommendations without a concrete attack path (we welcome those at hello@traveloonie.com instead).

Our process

  1. You email security@traveloonie.com.
  2. We acknowledge within 48 hours.
  3. We triage, validate, and assign a severity.
  4. We agree a fix window: 30 days for High/Critical, 90 days for Medium/Low.
  5. We deploy the fix, and (with your consent) publicly credit you in the release notes.

Safe harbour

We will not pursue legal action against good-faith security research that respects user privacy and avoids data destruction, service disruption, or accessing more data than necessary to demonstrate the issue. Please do not test against real user accounts you don't control; create your own test account on the CMS if needed (operator must invite you first).

Out-of-scope reports we already know about

The current Content Security Policy uses 'unsafe-inline' on script-src because of four small inline scripts in the layout (theme init, scroll observer, GA Consent Mode default, and Identity redirect). We're tracking the migration off it — see our internal runbook. Reports demonstrating actual XSS through this gap are still welcome and in scope.