Responsible disclosure.

What this policy covers.

This policy applies to ikigai.do and its subdomains. Ikigai operates a static, public marketing website hosted on Cloudflare Pages. There is no user authentication, no payment processing, and no user-generated content stored on the infrastructure.

If you have identified a vulnerability that could affect the integrity, availability, or confidentiality of ikigai.do, I want to hear about it.

Email is the fastest way.

Send an email to [email protected] with the subject line "Security · Disclosure". Include a clear description of the issue, steps to reproduce, and any relevant proof of concept. Encrypted communication is welcome on request.

• I acknowledge receipt within 5 business days.
• I do not pursue legal action against researchers acting in good faith.
• Ikigai does not currently operate a paid bug bounty programme.

[email protected] →

What I do not consider actionable.

• Findings from automated scanners without demonstrated impact.
• Theoretical vulnerabilities in third-party services Ikigai uses (Cloudflare, GitHub, etc.) that are managed by those providers.
• Self-XSS, clickjacking on pages without sensitive actions, missing security headers without demonstrated exploitability.
• Reports requesting payment in exchange for disclosure.