+ Security
This draft page documents intended site security practices, machine-readable endpoint boundaries, and vulnerability reporting flow.
This page is launch security copy. Final safe harbor, response timelines, bounty posture, reporting mailbox, and third-party testing boundaries require AJ, legal, and security owner approval.
Cosmic Construct intends to use secure transport, least-privilege access, dependency review, logging, and deployment review for public site operations.
Machine-readable endpoints should remain public, narrow, documented, and non-sensitive. Any write action must require human review.
Responsible disclosure should route to an approved inbox with clear triage ownership before this policy is final.
Security reports should be precise, non-destructive, and easy to reproduce by an accountable owner.
Report Security IssueSend a concise report with affected URL, reproduction steps, impact, evidence, and contact information.
Cosmic Construct reviews severity, exploitability, data exposure, and operational impact.
The team coordinates remediation, temporary controls, communication, and account review as needed.
Fixes are verified before public detail is shared. Timing depends on severity, vendor coordination, and customer risk.
Reporter and internal records are updated with final disposition, lessons learned, and follow-up controls.
Use the general contact channel until a dedicated security inbox is approved.
make@cosmicconstruct.tech
Do not include secrets, customer data, or exploit payloads beyond what is necessary to reproduce the issue safely.