Skip to content

Security

Security Policy

How to report a vulnerability, what to expect in return, and how this site is built to be secure.

Last updated · May 2026

Security governance is a core part of my professional work, so I hold this site to the same standard I advocate for elsewhere. If you have found a security issue, I want to hear about it, and this page explains how to report it and what you can expect in return.

Reporting a vulnerability

If you believe you have found a security vulnerability affecting this website, please report it responsibly:

  • Email hello@mohitrane.com with a clear subject line such as "Security report".
  • Describe the issue with enough detail to reproduce it: the affected URL or component, the steps taken, and the impact you observed.
  • Give me time to respond before disclosing the issue publicly, so it can be fixed before it is exploited.
  • Do not access or modify others' data and avoid any action that would degrade the service for other visitors.

What to expect

I aim to acknowledge a good-faith report within a few business days, confirm whether I can reproduce the issue, and keep you reasonably informed as it is addressed. While this is a personal site without a formal bug-bounty program, credit and genuine thanks are offered to researchers who report issues responsibly.

Scope

This policy covers the mohitrane.com website and its content. It does not cover third-party platforms, embedded services, or social profiles linked from the site, which are governed by their own providers' security and disclosure policies.

Safe harbor

Good-faith security research conducted in line with this policy is welcomed. If you act in good faith, avoid privacy violations and service disruption, and give me a reasonable opportunity to resolve the issue before public disclosure, I will not pursue legal action over your research. Acting in good faith also means stopping and reporting as soon as you encounter sensitive data.

Security posture

The site is built to keep its attack surface small:

  • Static architecture. Pages are pre-rendered and served as static files, which removes whole classes of server-side and database vulnerabilities.
  • Encryption in transit. All traffic is served over HTTPS, with HSTS to enforce secure connections.
  • Security headers. Responses use a Content Security Policy and other hardening headers to reduce the risk of injection and clickjacking.
  • Minimal data. No accounts, no passwords, and no sensitive personal data are stored on the site, so there is little of value to compromise.

A core professional focus

Treating security as a first-class concern rather than an afterthought is central to how I work. The principles behind this site's posture are described in more depth in my Security Governance Framework.

This page is provided for transparency and general information. It is not legal advice. Questions? Get in touch.