Security & Responsible Disclosure

01 Our commitment

Xiphirium builds software for a living. We hold our own infrastructure to the standard we hold our work to. Security is treated as a continuing practice — designed in, monitored, and improved — not a box ticked once.

We also believe that independent security research makes everyone safer. If you have found a weakness in our website or infrastructure, we want to hear about it, and we have written this policy so you can tell us without hesitation.

02 How we protect this website

xiphirium.com is a deliberately small, mostly static surface. Its attack surface is kept narrow on purpose, and it is hardened with:

• Encryption in transit — all traffic is served over HTTPS/TLS, with HTTP Strict Transport Security (HSTS) enforced and submitted for browser preloading.
• Strict Content Security Policy — a CSP restricts scripts, styles, frames and connections to known origins, mitigating cross-site scripting and injection.
• Full security header set — including X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy, so the browser enforces safe defaults.
• No cookies, no third-party trackers — the website sets no cookies and loads no advertising or analytics trackers, removing an entire class of risk.
• Hardened endpoints — the brief and spec endpoints accept only well-formed requests, validate and bound all input, screen automated submissions, apply rate limiting, and restrict cross-origin calls.
• No secrets in the browser — API keys and credentials are held server-side as environment variables and are never exposed to the client.

03 How we protect data

• Data minimisation — we collect only what we need. The less we hold, the less is ever at risk.
• Reputable providers — hosting, email and AI processing run on established providers that maintain recognised security and compliance practices.
• Access control — provider accounts and mailboxes are protected with strong, unique credentials and multi-factor authentication.
• Dependency hygiene — we keep dependencies current and minimal, and review third-party code we rely on.
• Breach response — if a data breach likely to cause serious harm occurs, we will act under the Notifiable Data Breaches scheme. See the Privacy Policy for how we handle personal information.

04 Reporting a vulnerability

If you believe you have found a security vulnerability affecting Xiphirium, please report it to hi@xiphirium.com. To help us act quickly, please include:

• a clear description of the vulnerability and the affected URL, endpoint or component;
• the steps needed to reproduce it, and any proof-of-concept;
• your assessment of the potential impact; and
• how you would like to be credited, if you wish to be.

Please report promptly, give us a reasonable opportunity to investigate and remediate before any public disclosure, and keep details of the vulnerability confidential until we confirm it is resolved.

05 Safe harbour for researchers

To stay within this safe harbour, you must:

• act in good faith to avoid privacy violations, data destruction, service degradation and interruption to others;
• only interact with accounts and data you own or have explicit permission to test — never access, modify or exfiltrate data belonging to others;
• stop testing and report immediately if you encounter personal information or other sensitive data;
• use only the minimum interaction necessary to demonstrate a vulnerability;
• not use social engineering, physical attacks, spam, or denial-of-service techniques; and
• give us a reasonable time to remediate before disclosing publicly.

If legal action is initiated by a third party against you for activity that complied with this policy, we will make it known that your actions were conducted in accordance with it. This policy does not authorise activity that breaches the law, and cannot waive rights of third parties.

06 Scope

This policy covers infrastructure operated by Xiphirium, namely:

• the website at xiphirium.com and its sub-pages;
• the public API endpoints under xiphirium.com/api/; and
• email configuration for the xiphirium.com domain.

07 Out of scope

The following are out of scope. Please do not test them under this policy:

• third-party platforms and services we rely on (such as our hosting, email and AI providers) — report issues in those directly to the relevant provider;
• client projects and any separate websites or systems Xiphirium has built or operates for clients — these have their own owners and disclosure channels;
• denial-of-service, volumetric or load-testing attacks;
• social engineering, phishing, or physical attacks against Xiphirium, its personnel or its providers;
• reports of missing best practices with no demonstrated, realistic exploit (for example, a header preference) — still welcome, but treated as informational; and
• spam or content-injection in the brief form that does not constitute a security vulnerability.

08 What to expect from us

When you report a vulnerability in good faith, we will:

• acknowledge your report, ordinarily within 5 business days;
• investigate and keep you reasonably informed of progress;
• work to remediate confirmed vulnerabilities on a timeline appropriate to their severity; and
• credit you for the discovery if you would like to be credited.

Xiphirium does not currently operate a paid bug-bounty programme; we recognise valid reports with our genuine thanks and, with your permission, public credit.

09 Machine-readable security.txt

In line with RFC 9116, our security contact details are also published in machine-readable form at:

10 Contact

• Security contact: hi@xiphirium.com
• Entity: Xirophi Pty Ltd (ACN 697 534 393) trading as Xiphirium
• Location: Sydney, New South Wales, Australia