Posture · disclosure · commitments

Security.

What this site does and doesn’t do with your data. How to report a vulnerability. What we’ve committed to in writing.

security.txt Privacy

Site posture

Default-deny on everything except the page you asked for.

Tracking
None No analytics scripts. No third-party pixels. No advertising tags. No fingerprinting libraries.
JavaScript
None on first paint The site renders with zero JS dependency. Content Security Policy declares script-src 'none'.
External requests
Zero No fonts from Google. No CDNs. No iframes. Every byte served from this domain.
Cookies
None The public site sets no cookies. Visitors who reach the private portal at portal.goroshillc.com are subject to Cloudflare Access session cookies for authentication, governed by that policy.
Transport security
HSTS preload Strict-Transport-Security max-age set to two years with subdomains included and preload eligibility declared.
Framing
DENY X-Frame-Options DENY plus CSP frame-ancestors 'none' blocks any embedding.
Form actions
Same-origin only Forms (none currently on the public site) restricted to this domain by CSP.
Permissions
All denied Permissions-Policy explicitly denies accelerometer, camera, geolocation, gyroscope, magnetometer, microphone, payment, USB.

Vulnerability disclosure

If you find something.

Goroshi LLC welcomes good-faith security research on the public surfaces of goroshillc.com. There is no formal bug bounty program; recognition is reputational and on a case-by-case basis.

Send vulnerability reports to [email protected]. Use the canonical contact published at /.well-known/security.txt for RFC 9116 conformance. Include reproduction steps, the affected URL or asset, and any proof-of-concept material you can share safely.

We commit to acknowledging reports within seventy-two hours, providing a triage decision within seven days, and not pursuing legal action against researchers acting in good faith.

Out of scope

What we won’t accept reports on.

The following are explicitly out of scope and reports on them will be closed:

  • Generic banner-grabbing or version-disclosure findings without a working exploit.
  • Self-XSS or any attack requiring the victim to paste hostile code into their own browser.
  • Lack of rate limiting on static asset endpoints.
  • Findings that require physical access to a Goroshi LLC device.
  • Social-engineering attacks against employees, contractors, or counterparties.
  • Issues affecting only end-of-life browsers or operating systems.
  • Third-party sites or services that we link to but do not control.

Data handling

What we collect on the public site.

Effectively nothing. Web server access logs are retained at the hosting provider for standard operational and abuse-prevention purposes and rotated on the provider’s default schedule. We do not aggregate, profile, or share visitor data with any third party.

If you submit an email inquiry, that email is read by the operator personally and retained only as long as the inquiry remains active. We do not add inquirers to a mailing list because we do not operate a mailing list.

Full privacy policy at /privacy. Terms of use at /terms.

Private portal

portal.goroshillc.com is a separate posture.

The private portal at portal.goroshillc.com serves authenticated content to the operator and authorized family-only counterparties. It is gated by Cloudflare Access at the edge with fail-closed JWT verification at the worker layer. Public reports on the portal’s posture follow the same disclosure path documented above.

The portal contains no third-party content, no public indexing, and no functional surface accessible without prior authorization. It is not part of the public attack surface.