Vulnerability Disclosure
We take the integrity of this site and the data it holds seriously, and we welcome reports from security researchers who find a weakness in it. This page sets out how to reach us, what is in scope, and what to expect. It is also advertised in /.well-known/security.txt (RFC 9116).
1. How to report
Email security@annealir.com with enough detail to reproduce the issue — the affected URL or endpoint, the steps, and the impact you observed. A proof of concept helps. If you wish to send anything sensitive, say so and we will arrange a secure channel. Please report promptly, and give us a reasonable window to remediate before any public disclosure.
2. Scope
In scope: the public website (www.annealir.com), its Cloudflare Pages Functions
(/api/interest, /api/beacon, /_owner), and the
data they store. Out of scope: anything that requires harming our users or their
data, degrading service for others, social engineering, physical access, or
third-party services we do not operate. Volumetric denial-of-service testing is not
authorised.
3. Good-faith safe harbour
We will not pursue or support legal action against researchers who act in good faith and within this scope: who avoid privacy violations and data destruction, who access only the minimum needed to demonstrate an issue, who do not exfiltrate or retain data they encounter, and who give us a reasonable chance to respond before disclosing. If you are unsure whether something is permitted, ask first.
4. What to expect
We aim to acknowledge a report promptly, to keep you informed as we investigate and remediate, and to agree a disclosure timeline with you. We will tell you when an issue is fixed. As a small team ahead of launch, we ask for patience on timing; we would rather get the fix right than rush it.
5. Recognition
There is no paid bug-bounty programme at this stage. We are glad to credit researchers who report valid issues, by name or handle, on request. If and when a formal programme exists, it will be announced here and in security.txt.
6. Our posture
No third party sits in the data path — the site, its functions, and its measurement all run on Cloudflare. Raw IP addresses are never stored (salted hashes only), measurement is first-party and honours GPC and Do Not Track, and the owner console fails closed. The public detail is in the Privacy Policy and Cookies & Tracking; the binding terms are the Terms of Use.