Responsible disclosure

Report security issues.

Report suspected vulnerabilities in the public Mullusi website through a non-destructive disclosure path. This page does not authorize testing reserved runtime, dashboard, sandbox, metrics, or private operator surfaces.

support@mullusi.com security.txt Security boundary

In scope

Public static routes on mullusi.com, public asset delivery, public JSON files, public contact links, sitemap, robots, and security headers.

Out of scope

Reserved subdomains, private repositories, mailboxes you do not own, third-party infrastructure, social engineering, denial of service, or destructive data access.

Report contents

Include affected route, reproduction steps, observed impact, browser details if relevant, and whether any data was viewed or changed.

Coordination

Allow time for triage and repair before public disclosure. Mullusi may request clarification, proof of impact, or a safer reproduction path.

Safe testing requirements

  1. Use only your own browser session and your own data.
  2. Stop immediately if testing exposes non-public data, credentials, or infrastructure details.
  3. Do not run volume, stress, destructive, persistence, or bypass testing.
  4. Do not access or attempt to access reserved subdomains as live production targets.
  5. Do not disclose the issue publicly before a coordinated repair window is agreed.
Bounty boundary: No public bounty program is promised by this page. The route exists to receive and coordinate responsible reports.