Please do not open a public GitHub issue for security vulnerabilities.

Report security concerns to:
📧 security@aiep.protocol (monitored — response within 72 hours)

Include in your report:

• A description of the vulnerability and its potential impact
• Steps to reproduce or proof-of-concept
• The affected version(s) and component(s)

AIEP Hub follows secure-by-default practices:

1. No server-side secrets in repository — wrangler.toml contains only non-secret deployment configuration. Secrets are managed via Cloudflare environment variables.

2. Static site — Hub is a fully pre-rendered Astro site deployed to Cloudflare Pages. No runtime user-data handling.

3. Content Security Policy — HTTP security headers enforced by _headers file and Cloudflare Workers.

4. Dependency hygiene — node_modules/ is gitignored; dependencies are pinned via package-lock.json.

This policy applies to the AIEP Hub Astro site and associated Cloudflare Workers.

Out of scope: the AIEP specification documents (.md files in src/pages/) — these are technical documents, not executable software.

SPDX-License-Identifier: Apache-2.0 © 2025–2026 Neil Grassby. All rights reserved.