Architecture limitations: the public site is a Vercel-hosted static app with serverless intake routes and Supabase-backed analytics/submission queues. Public endpoints should expose aggregate statistics only, not raw emails, raw notes, IP addresses, credentials, or authorization headers.
Security
Security contact pending.
No monitored security inbox has been approved for publication yet. Do not send sensitive vulnerability details through public forms.