Security disclosure policy. Sleep Psycho.

Reporting

If you've found a security issue, please email security@sleeppsycho.rest or mulhern.thomasr@gmail.com. Include enough detail to reproduce. No PGP key yet; the reports are read by a human.

Scope

The Sleep Psycho website (sleeppsycho.rest) and its subdomains
The Tally waitlist form embedded on the site (please also report directly to Tally for issues in their platform)

Out of scope

Automated scanner output without a reproducible impact narrative
Missing security headers that don't enable a concrete exploit
Best-practice findings about third-party domains we link to
Social engineering of the operator

Safe harbor

Good-faith research that follows this policy (no data exfiltration, no service disruption, no PII handling beyond what's needed to demonstrate the issue) will not be pursued legally. Wait for a reasonable disclosure window before going public.