Security
How we hold our own site.
We advise organizations on their security posture, so it's fair to ask about ours. This page describes how the OP4 site is built and how to report a problem if you find one.
Responsible disclosure
If you've found a security issue affecting op4.co or its infrastructure, we want to hear about it. Email andrew@op4.co with enough detail to reproduce it. We'll acknowledge receipt, keep you updated, and we won't pursue action against good-faith research that respects the guidelines below.
In scope
- The op4.co website and its subdomains
- DNS and email-routing configuration
- Exposed configuration or secrets
Please avoid
- Denial-of-service or load testing
- Accessing data that isn't yours
- Social engineering of staff or clients
Posture
The targets we hold this site to. A few are still being finalized as the site goes live — noted where so.
TransportHTTPS everywhere, HSTS, and HSTS preload registration.
HeadersA strict Content-Security-Policy, plus the standard security headers, targeting a clean securityheaders.com grade.
EmailSPF, DKIM, and DMARC on op4.co mail (finalizing with Email Routing setup).
DNSDNSSEC enabled at the registrar.
PrivacyPrivacy-respecting analytics only, no third-party trackers, and minimal external dependencies.
DisclosureA published /.well-known/security.txt pointing here.
security.txt
Served at https://op4.co/.well-known/security.txt
Contact: mailto:andrew@op4.co Preferred-Languages: en Canonical: https://op4.co/.well-known/security.txt Policy: https://op4.co/security Expires: 2027-06-13T00:00:00.000Z