Reports should focus on mullusi.com pages, static assets, public JSON, security headers, and published contact paths.
Security.
Mullusi keeps the public website simple, static, and easy to report against. Visitors can review current protections, open security.txt, and send vulnerability reports without needing an account.
These controls apply to the public website. API, dashboard, and operator surfaces are Not open as public services yet.
Choose the trust surface.
Move between website security, privacy, terms, use rules, and disclosure without losing the current public boundary.
Send suspected issues through the responsible disclosure page or support mailbox with impact and safe reproduction details.
Mullusi reviews the report, separates website issues from staged services, and records the response boundary.
API, dashboard, sandbox, metrics, operator, and private product systems are not open for public testing.
Browser protections
The public site uses security headers for content policy, HTTPS transport, frame blocking, content-type protection, referrer handling, and browser permission limits.
Script handling
Site scripts are controlled as part of the static build. Inline scripting is limited and validated before deployment.
Public routes
Visitors are routed to published public pages, status, contact, documentation, or responsible disclosure paths. Reserved services are Not open for use.
Public files
Public JSON and page files are static and validated before deployment. Product-service security evidence is separate from public website security.
Current security status
| Surface | State | Security boundary |
|---|---|---|
mullusi.com | Published | Static public website with security headers and no public account session. |
docs.mullusi.com | Published externally | Public documentation route; header ownership may differ from this repository. |
api.mullusi.com | AwaitingEvidence | Public API security status remains staged until runtime witness evidence closes. |
dashboard.mullusi.com | Reserved | Operator surface; not open as a public website service. |