Security Policy

We take security seriously. If you've found a vulnerability, please report it responsibly.

How to report

Email [email protected] with subject prefix [SECURITY]. Include:

• A clear description of the vulnerability.
• Steps to reproduce.
• Affected URL(s) or component(s).
• Your name (or pseudonym) for credit, if you'd like to be acknowledged publicly.

For sensitive findings, you may PGP-encrypt your report. Contact us first for our public key.

What we promise

• 1-hour acknowledgment for critical (SEV1) reports during normal hours.
• 48-hour acknowledgment for non-critical reports (SEV2-4).
• We will keep you informed of our progress.
• We will credit you publicly (with your permission) once the issue is patched.
• We will not pursue legal action against good-faith security researchers who follow this policy.

In scope

• The website at wordonlinegames.com and all subpaths.
• Our service worker and PWA manifest.
• The static assets in public_html/.
• Our build pipeline (GitHub Actions workflows) — but only if you've discovered a real vulnerability, not just a configuration suggestion.

Out of scope

• Issues in third-party services we use (Cloudflare, IONOS, Plesk) — please report directly to those vendors.
• Social-engineering attacks against our team.
• Physical attacks against our infrastructure providers.
• Denial-of-service (DoS / DDoS) without a novel attack vector.
• Spam to our contact email.
• Issues that require physical access to a victim's device.

Disclosure timeline

We aim to patch confirmed vulnerabilities within 30 days of report (sooner for critical issues). We follow a 90-day responsible disclosure window: we will not object to public disclosure of a verified vulnerability 90 days after our acknowledgment, even if we have not yet shipped a fix — provided you have worked with us in good faith during that period.

Hall of thanks

No reports yet (we just launched!). Researchers who help us improve security will be credited here, with their permission.

RFC 9116 security.txt

A machine-readable version of this policy is at /.well-known/security.txt.

Last updated: 2026-04-29 · Security Policy Version 1.0