Security

• Connections to the Site are served over HTTPS to protect data in transit.
• Authentication and session handling use industry-standard mechanisms (e.g. secure cookies, hashed passwords where accounts exist).
• Hosting and infrastructure providers are selected with security and reliability in mind.
• Access to administrative tools is restricted and role-based.
• We apply updates and monitor for abuse where feasible; no system is perfectly secure.

• Use strong, unique passwords for any account on the Site.
• Do not share credentials or reuse passwords from other sites.
• Keep your devices and browsers updated.
• Be cautious of phishing: we will not ask for your password by email.

If you believe you have found a security vulnerability in the Site or related services, please report it privately to contact@horaciosapato.com with a clear description, steps to reproduce, and—if applicable—proof without accessing or exfiltrating user data beyond what is necessary to demonstrate the issue.

We ask that you give us reasonable time to investigate and remediate before public disclosure. We do not operate a formal bug bounty program unless separately announced; reports are appreciated and handled in good faith.

Reports that typically do not qualify as security issues include:

• Missing security headers without demonstrated exploitability.
• Self-XSS or issues requiring unlikely user interaction without impact.
• Denial-of-service via volumetric traffic (please use responsible disclosure for logic flaws only).
• Content on third-party sites or services we do not control.

Security inquiries: contact@horaciosapato.com.