# DoCoDeGo — Vulnerability Disclosure Policy # https://docodego.com/.well-known/security.txt # RFC 9116 https://www.rfc-editor.org/rfc/rfc9116 Contact: mailto:security@docodego.com Contact: https://docodego.com/collaborate Expires: 2027-05-19T00:00:00.000Z Preferred-Languages: en Canonical: https://docodego.com/.well-known/security.txt # Scope # In scope: docodego.com and its subdomains, the framework repo, # and any tooling published under the docodego organisation. # Out of scope: third-party services we don't operate (Discord, Cloudflare, # GitHub, etc.). # Reporting guidance # Please email security@docodego.com with: # - a clear description of the vulnerability # - reproduction steps # - the impact you observed or suspect # We acknowledge within 5 working days and aim to fix or document within 30. # We will credit you publicly unless you ask us not to. # What's NOT a vulnerability # - The whole site is intentionally open (no auth, no user data, no PII). # - The window.dcdg API is by design — it's a documented developer affordance. # - The /secret page exposing easter eggs is by design. # - Pagefind indexing every public page is by design. # Thanks # To everyone who has reported issues large and small. The Manifesto is # sharper because of you.