How to report
Email [email protected] with a description, repro steps, and (if relevant) a proof-of-concept. PGP optional. Replies within 48 hours.
Machine-readable contact: /.well-known/security.txt (RFC 9116).
What's in scope
- The
www.seanmaraj.compublic site. - The contact intake API at
/api/contact. - The well-known files (
llms.txt,llms-full.txt,security.txt,mcp.json, etc.).
What's out of scope
- Denial of service / volumetric attacks.
- Findings that require a privileged position on the user's device or network.
- Reports auto-generated by scanners with no human-validated impact.
- Missing security headers without a working exploit (please mention them in the report; they aren't standalone vulns).
Good faith
You will not face legal action for testing performed in good faith against the public scope above. Don't exfiltrate data beyond what proves the issue, don't pivot into third-party services, and don't generate sustained load.
Hall of fame
Researchers who responsibly disclose will be acknowledged here, with their permission.