chronotopos

security

Reporting a vulnerability

Found a security problem? Please tell us privately. Good-faith research is welcome.

How to report

Email security@chronotopos.art with enough detail to reproduce the issue. We will acknowledge your report, keep you updated, and credit you if you’d like once the issue is fixed. A machine-readable copy of this policy lives at /.well-known/security.txt.

What’s in scope

This website and its upload, capture and admin endpoints. Because the project is built privacy-first, we’re especially interested in anything that could expose a contributor’s identity, leak quarantined or rejected images, bypass the face/metadata screening, or reach data that should stay private.

Please report privately, and don’t exploit

Report privately and give us a reasonable chance to fix the issue before sharing it publicly. While testing, please do not access, modify or delete other people’s data, run denial-of-service or spam attacks, or do anything that degrades the service for others. Stick to your own test data.

If you act in good faith and follow this policy, we will not pursue or support legal action against you for your research. If you’re unsure whether something is in scope, ask first.

This is about technical security. To request that a photo be removed, use the removal page; for what data we handle, see the privacy notice.

last revised · 2026·06·06