Security

Security.

Mullusi keeps the public website simple, static, and easy to report against. Visitors can review current protections, open security.txt, and send vulnerability reports without needing an account.

Browse Check Report Triage Resolve
WebsitePublished
ProtectionsEnabled
ReportingOpen
AccountsNot required
ServicesReserved

These controls apply to the public website. API, dashboard, and operator surfaces are Not open as public services yet.

Trust routes

Choose the trust surface.

Move between website security, privacy, terms, use rules, and disclosure without losing the current public boundary.

Scope Public website routes only.

Reports should focus on mullusi.com pages, static assets, public JSON, security headers, and published contact paths.

Report Use disclosure or support.

Send suspected issues through the responsible disclosure page or support mailbox with impact and safe reproduction details.

Triage Classify, repair, and record.

Mullusi reviews the report, separates website issues from staged services, and records the response boundary.

Limit Reserved services are not targets.

API, dashboard, sandbox, metrics, operator, and private product systems are not open for public testing.

Browser protections

The public site uses security headers for content policy, HTTPS transport, frame blocking, content-type protection, referrer handling, and browser permission limits.

Script handling

Site scripts are controlled as part of the static build. Inline scripting is limited and validated before deployment.

Public routes

Visitors are routed to published public pages, status, contact, documentation, or responsible disclosure paths. Reserved services are Not open for use.

Public files

Public JSON and page files are static and validated before deployment. Product-service security evidence is separate from public website security.

Current security status

SurfaceStateSecurity boundary
mullusi.comPublishedStatic public website with security headers and no public account session.
docs.mullusi.comPublished externallyPublic documentation route; header ownership may differ from this repository.
api.mullusi.comAwaitingEvidencePublic API security status remains staged until runtime witness evidence closes.
dashboard.mullusi.comReservedOperator surface; not open as a public website service.
Disclosure route: Report suspected vulnerabilities through support@mullusi.com or the responsible disclosure page. Do not test reserved services as production targets.