If you find a security issue in this site or the build pipeline:

• Email security@specification.website.
• Or open a GitHub Security Advisory.

Please do not open a public issue for security bugs.

• The hosted site at https://specification.website and its subdomains.
• The code in this repository (Astro source, GitHub Actions workflows, deployment configuration).

• Reports about missing security headers without a demonstrable impact — the site's headers are documented in public/_headers and the relevant spec pages.
• Reports generated solely by automated scanners with no proof of exploit.
• Social engineering attempts against maintainers.

• We will acknowledge a valid report within 3 business days.
• We will work with you on a fix and disclosure timeline.
• The disclosure window is typically 90 days from the acknowledgement, or sooner if a fix ships earlier.

Contributors who responsibly report security issues are credited in the project unless they prefer otherwise.

See also /.well-known/security.txt — the machine-readable version, per RFC 9116.