If you discover a security vulnerability in this project, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

1. Email: security@qinnovate.com
2. Or use GitHub's private vulnerability reporting: Report a vulnerability

• Description of the vulnerability
• Steps to reproduce
• Affected component (website, data pipeline, API endpoint)
• Potential impact assessment
• Suggested fix (if any)

In scope:

• qinnovate.com website and all subpages
• Client-side JavaScript and WebAssembly components
• Data pipeline scripts and build tools
• API endpoints (if any)
• GitHub Actions workflows

Out of scope:

• Third-party services (CDNs, analytics)
• Social engineering attacks
• Denial of service attacks
• Issues in dependencies (report upstream)

• No user data is collected or stored
• All research data is publicly available (CC BY 4.0)
• No authentication system — static site only
• No cookies, no tracking, no analytics that collect PII

• Static site hosted on GitHub Pages / Vercel
• HTTPS enforced via hosting provider
• No server-side code execution
• Content Security Policy headers configured
• Dependencies audited via npm audit in CI

• Dependencies pinned via package-lock.json
• GitHub Actions workflows use pinned action versions
• No secrets in source code (verified via automated scanning)
• Build output is deterministic and reproducible

We appreciate security researchers who help keep this project safe. Responsible reporters will be acknowledged here (with permission).