Effective: March 2026. Scope: continuous.engineering and all subdomains.
If you find a security vulnerability, please report it to [email protected]. We will acknowledge within 48 hours and work to resolve confirmed issues promptly. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.
Scope
In scope for responsible disclosure:
- continuous.engineering and all subdomains
- The Cloudflare Pages Functions API (authentication bypasses, data exposure, injection vulnerabilities)
- The AI chat and lead capture pipeline
- The admin interface
Out of scope:
- Third-party services (Cloudflare, Anthropic, Bunny Fonts): report those directly to the vendor
- Denial of service attacks or resource exhaustion
- Social engineering or phishing attacks targeting individuals
- Issues requiring physical access
- Low-severity informational disclosures (e.g., server version headers)
What to include in your report
- A clear description of the vulnerability and its potential impact
- Steps to reproduce, including any relevant URLs, payloads, or screenshots
- Your name or handle if you would like to be credited
What to expect
- Acknowledgement within 48 hours
- Status update within 7 days on whether the report is accepted
- Remediation target: 30 days for critical/high severity, 90 days for medium/low
- Credit in a Hall of Thanks (on request) once the issue is resolved
Our commitments
- We will not pursue legal action against researchers who follow this policy
- We will treat your report confidentially and not share your personal details without consent
- We will keep you informed of progress
Contact
Email: [email protected]
This policy is also published at continuous.engineering/.well-known/security.txt.