Use GitHub's Report a vulnerability button on this repo's Security tab, or email security@divineskins.gg. Include:

• What you found
• How to reproduce it
• What impact you think it has

Do not open a public GitHub Issue for security bugs.

This policy covers:

• The wiki site itself (wiki.divineskins.gg)
• The in-browser draft editor at /draft
• The read-only API routes under /api/ (health, og, search)

The site renders server-side on Cloudflare Workers but has no auth, no user accounts, and no runtime secrets; the API routes are read-only. Contributions are GitHub-native: the /draft editor opens a pull request via a client-side GitHub URL handoff (src/lib/draft/github.ts); it never holds a token or acts on a user's behalf.

• XSS in rendered MDX content (build-time pages and the in-browser /draft preview)
• Anything in the /draft handoff that could be abused to forge or hijack a pull request

We aim to acknowledge reports within 2 business days. Real fix timelines vary.