This policy covers the ChipOS website repo and its public deployment surface.

In scope:

• website code in this repository
• preview gate behavior
• cookies
• middleware
• deployment configuration in this repo
• public domain behavior for chipos.io

Out of scope for this repo:

• unrelated private infrastructure
• registrar account access
• personal account recovery issues
• external services not controlled by this repo

Do not open a public GitHub issue for a real security vulnerability.

Instead:

• report it privately to the maintainer first
• include:
  • affected URL or file
  • exact steps to reproduce
  • impact
  • any proof-of-concept needed to verify it

If a secure private channel is later added, use that channel instead of public issues.

Please include:

• title
• affected component
• reproduction steps
• expected impact
• whether the issue is public, authenticated, or infrastructure-dependent

The goal is:

• verify quickly
• contain exposure
• patch before public disclosure where practical

Never include any live secret in a report.

Do not send:

• production passwords
• SSH private keys
• registrar credentials
• full cookie values for active sessions unless strictly necessary

Redact sensitive values whenever possible.