Skip to content
Reseni Labs

Security

The site is the proof of work.

We refuse to publish privacy and security advice from a site that itself leaks data. This page documents the controls we run and how to report a vulnerability.

What we run

  • TLS 1.3 only on the edge, OCSP stapling, HSTSmax-age=63072000; includeSubDomains; preload, submitted to the HSTS preload list.
  • Strict CSP with per-request nonces, strict-dynamic, no unsafe-inline, no unsafe-eval. Violations are reported to /api/csp-report.
  • Full OWASP Secure Headers baseline (COOP / COEP / CORP, Permissions-Policy, X-Content-Type-Options, X-Frame-Options DENY).
  • DNSSEC, CAA, DMARC p=reject, MTA-STS enforce mode, TLS-RPT, BIMI.
  • WebAuthn / passkeys required for all admin access. Admin lives on a separate subdomain with IP allow-list.
  • Self-hosted, cookieless analytics. No third-party scripts on content pages.
  • Signed commits, signed container images (cosign), SBOM (CycloneDX) published at /trust.

Standards we align to

  • OWASP ASVS v4.0.3 (L2), OWASP Top 10, OWASP LLM Top 10
  • NIST Privacy Framework 1.0; NIST AI RMF 1.0 + GenAI Profile
  • ISO/IEC 27001 / 27002:2022, ISO/IEC 27701, ISO/IEC 42001
  • ISO/IEC 29147 + 30111 (vulnerability handling)
  • RFC 9116 (security.txt), RFC 8058 (one-click unsubscribe)
  • WCAG 2.2 AA, EN 301 549

Vulnerability disclosure

Our full policy is at /security/policy. Our /.well-known/security.txt is RFC 9116 compliant.

Safe harbour: if you make a good-faith effort to comply with our policy, we will not pursue or support legal action against you, and we will credit your finding (with your permission) at /security/thanks.

Service-level targets

  • Acknowledge a report: ≤ 2 business days
  • Triage and severity: ≤ 5 business days
  • Remediate Critical: ≤ 7 days
  • Remediate High: ≤ 30 days
  • Coordinated disclosure window: ≤ 90 days by default
Security · Reseni Labs