This is a static website with no backend, no authentication, and no user data. The attack surface is limited to the published HTML/CSS/JS and its security headers (see public/_headers).

If you find a security issue — a misconfigured header, a content problem, or a dependency advisory — please report it privately:

• Open a private security advisory, or
• Open a regular issue if it is not sensitive.

There is no bug bounty. Expect a response within a few days. Thanks for helping keep the lab honest.