Preservation and Integrity
A work of this nature — built to endure, maintained with deliberate care — depends on structural soundness as much as content. Security is not an afterthought appended to the margins; it is woven into the material from the first line of code. CSP enforced. SRI on every asset. No external scripts. No databases. No moving parts that do not need to move.
Even so, no structure is beyond scrutiny. If you have found an imperfection — a crack in the surface, a structural risk invisible from the outside — this is the appropriate place to bring it.
Scope
This policy covers the publication at marianholly.com and all content served under that domain.
Within scope:
- The rendered site — HTML, CSS, JavaScript, and static assets
- The source repository at github.com/marianholly/blog
Outside scope:
- GitHub infrastructure — Pages, Actions, CDN
- Third-party services referenced from the publication
- Social engineering, phishing, or attacks against persons rather than systems
Reporting
Bring findings quietly, by email:
A machine-readable version of this contact is kept at /.well-known/security.txt, as convention requires.
There is no form. No ticket system. A direct message is sufficient and preferred.
Response
| Milestone | Commitment |
|---|---|
| Acknowledgment | Within 72 hours |
| Assessment and follow-up | Within 7 days |
| Credit | In the fix commit, if desired |
Good Faith
Those who approach this work with genuine curiosity and careful hands are welcome. If you make a good-faith effort to identify and report a vulnerability — without destroying data, disrupting availability, or exceeding what is strictly necessary to demonstrate the issue — no legal action will follow.
Responsible disclosure is a form of respect. It will be met with the same.
One More Thing
There is a flag hidden somewhere on this site.