Security

Please do not publicly disclose a vulnerability before we have had a chance to fix it. Email [email protected] with details and a reproduction. We will acknowledge within 72 hours and provide a remediation timeline.

We do not yet run a paid bug-bounty program. We do publicly credit reporters (with consent) on /about/security under 'Hall of fame' once a fix has shipped.

• Anything served on tengoderechos.org and *.tengoderechos.org.
• The /api/donations/checkout, /api/donations/webhook, /api/og, /api/qr, /api/connections/* routes.
• The admin consoles at /admin/resources and /admin/reviews.
• The service worker at /sw.js and the offline cache behavior.

• Any third-party domain (Stripe, Supabase, Resend, ElevenLabs, Apple Wallet) — please report directly to those providers.
• Spam / abuse via the public submission form (we already require server-side moderation).
• Best-practice nits without a concrete attack scenario (e.g. missing X-Frame-Options on a page that already returns no sensitive data).

Public site is a Next.js 16 App Router application. All emergency and rights pages are statically prerendered; the service worker caches them with a versioned cache key bound to package.json.version + build date.

Donation flow uses Stripe Checkout (hosted) — we never see card details. Webhook signature verification uses STRIPE_WEBHOOK_SECRET; events are deduplicated in an in-memory LRU.

The admin token cookie is httpOnly, Secure, SameSite=lax, and only set when ADMIN_TOKEN matches at sign-in.

Content attestations are stored at data/content-attestations.json. Each attestation is bound to a content version; bumping the version drops the attestation, preventing silent edits to verified content.

robots.txt explicitly opts in major AI crawlers. /admin and /weather are explicitly disallowed.

(Empty — be the first.)

We publish a machine-readable security.txt at /.well-known/security.txt per RFC 9116. Tools like the Mozilla HTTP Observatory and Internet.nl test for it automatically.