Security

If you find a security issue affecting metnos.com or the Metnos project, please tell us — we read every report.

How to report

Please include enough detail to reproduce the issue: affected URL or component, steps, expected vs. observed behaviour, and — if relevant — proof-of-concept payloads. A working demonstration helps, but is not required.

Scope

In scope: metnos.com and any subdomain we publish, plus any source code released under the Metnos project.

Out of scope: third-party services we do not control (the upstream hosting platform, registrar, mail provider), social-engineering of the maintainer, denial-of-service tests, automated scanner output without a verified finding.

What we ask

• Give us a reasonable window to fix the issue before public disclosure — typically 90 days, sooner if we agree.
• Do not access, modify, or exfiltrate data that is not your own.
• Do not degrade the service for other users.
• Test only against accounts and resources you control.

What you can expect

• An initial human reply within 5 working days.
• An honest assessment: severity, planned fix, expected timeline.
• Credit in our acknowledgements when the fix ships, if you want it.
• No legal action against good-faith research that follows this policy.

Metnos is a small, self-funded project: there is no monetary bug bounty. What we offer is attention, transparency, and a public thank-you.

Machine-readable

The corresponding security.txt follows RFC 9116.