Responsible disclosure

Report security issues.

If you find a possible security issue on a public Mullusi website route, report it privately and avoid harm. This page is for safe public-website reports only; it does not authorize testing reserved product services, dashboards, sandboxes, metrics, or private systems.

Find issue Avoid damage Email report Wait for triage Coordination
Public websiteIn scope
Reserved servicesOut of scope
Runtime accessNot open
TestingNon-destructive
BountyNot promised
ReportEmail route

This route receives reports. It does not authorize access to reserved services, destructive testing, stress testing, or public disclosure before coordination.

Trust routes

Choose the trust surface.

Move between website security, privacy, terms, use rules, and disclosure without losing the current public boundary.

Confirm scope Stay on public website routes.

Check that the issue is on mullusi.com pages, static assets, public JSON, headers, sitemap, robots, or security.txt.

Minimize impact Use non-destructive reproduction.

Stop if testing exposes private data, credentials, infrastructure details, or any reserved service boundary.

Prepare report Include URL, steps, impact, and safe evidence.

Attach screenshots only when they do not reveal secrets, private data, or unrelated third-party information.

Coordinate Wait for triage before public disclosure.

Mullusi may ask for clarification, safer reproduction, or a repair window before external publication.

In scope

Public pages on mullusi.com, public assets, public JSON files, contact links, sitemap, robots, security headers, and the published security.txt route.

Out of scope

Reserved subdomains, private repositories, mailboxes you do not own, third-party systems, social engineering, denial of service, destructive testing, or attempts to access non-public data.

Report contents

Include the affected URL, reproduction steps, observed impact, browser details if useful, screenshots if safe, and whether any data was viewed or changed.

Coordination

Allow time for triage and repair before public disclosure. Mullusi may ask for clarification, impact details, or a safer way to reproduce the issue.

Safe testing requirements

  1. Use only your own browser session and your own data.
  2. Stop immediately if testing exposes non-public data, credentials, or infrastructure details.
  3. Do not run volume, stress, destructive, persistence, or bypass tests.
  4. Do not treat reserved subdomains or staged services as live production targets.
  5. Do not disclose the issue publicly before a coordinated repair window is agreed.
Bounty boundary: No public bounty program is promised by this page. This route exists to receive and coordinate responsible reports.