Security policy.

Reporting a vulnerability

If you find a vulnerability in culturetech.cl or in any open-source code under the github.com/CultureTechCL organization, write to security@culturetech.cl.

We acknowledge receipt within 72 hours and give concrete progress updates on the fix. If you'd rather encrypt the report, ask for our PGP key in the same email and we'll send it before exchanging technical details.

In scope

• The culturetech.cl web app and *.culturetech.cl subdomains.
• Workers, APIs and endpoints under culturetech.cl/api/*.
• MCP endpoints under /.well-known/mcp-servers.json when present.
• Public repositories at github.com/CultureTechCL.

Out of scope

• Denial-of-service attacks (DoS/DDoS).
• Social engineering of team members, contractors or clients.
• Automated reports with no proof of impact (raw scanner output).
• Missing security headers whose real impact is not demonstrated.

Commitments to reporters

• We don't take legal action against good-faith research within scope.
• We credit reporters publicly in the security advisory unless you ask us not to.
• We coordinate a reasonable disclosure window (90 days by default, extendable if the fix requires third-party coordination).

Technical posture

The site is served entirely from Cloudflare Workers + Static Assets. TLS enforced on all domains, HSTS enabled, strict CSP, Turnstile on the contact form. Secrets live exclusively in Cloudflare Secrets — never in the repo. Operational procedures are documented internally in docs/run/.

security.txt

We serve /.well-known/security.txt per RFC 9116 with the same information in machine-readable form.