HTTPS/TLS
Browser requests are sent over same-origin HTTPS. This protects transport against casual interception and redirect confusion.
Security
Security contact and transport boundary.
Mushku.com uses same-origin HTTPS routes for browser traffic. Please report vulnerabilities privately.
Separate Claims
Transport security is not the same as encryption of encoded field payloads. Payload privacy claims are bounded separately.
Private Disclosure
Email security reports to sram@mushku.com with enough detail to reproduce the issue. The same contact is published at /.well-known/security.txt.
No Public Exploits
Please do not publicly post exploit details, private account data, live package material, or payment identifiers.
Website + Demo
Reports about the website, package download path, account ledger behavior, same-origin API routes, and demo API are in scope.
Billing Safety
Do not test paid-search abuse, Stripe abuse, account takeover, denial of service, or destructive behavior without written permission.
Manual Review
This is an early demo surface. Include impact, reproduction steps, affected URL or endpoint, and whether account or payment data was involved.