Security disclosure policy

How to report

Send vulnerability reports through the contact form with the category set to "Security." If the form itself is the vulnerability, email security@anomalydaily.com.

Machine-readable disclosure metadata is at /.well-known/security.txt (RFC 9116).

What we'd like to know

• The vulnerability and where it lives (URL, route, request)
• Steps to reproduce
• The impact you observed or believe is possible
• Any proof-of-concept code or screenshots (avoid actual destructive payloads)
• How you'd like to be credited (or "anonymous")

What you can expect

• Acknowledgment within 72 hours via the contact channel you used.
• Initial triage within 7 days — we'll tell you what we know and what we're going to do.
• Coordinated disclosure — we agree a timeline with you for public disclosure once a fix is shipped.
• Credit on this page (or this site's changelog), unless you prefer anonymity.

Scope

In scope:

• anomalydaily.com and all subdomains
• The Vercel-hosted infrastructure backing them
• Public API endpoints under /api/

Out of scope:

• Third-party services (Vercel, Cloudflare, Shopify, Beehiiv, Buffer, Discord) — report those to the vendor
• Denial-of-service tests (please don't run these against production)
• Spam or social-engineering of the operator or readers
• Issues requiring physical access

Safe harbor

If you make a good-faith effort to comply with this policy, we will not pursue legal action against you, and we will work with you to understand and resolve the issue.