postgr.esq — Security

REPORTING VULNERABILITIES

If you discover a security vulnerability in this service, please report it responsibly:

Email:    security@postgr.esq
PGP:      (available on request)
Language: English preferred

We will acknowledge receipt within 48 hours and aim to provide a substantive response within 7 days.

SCOPE

In scope:

• The postgr.esq web application and API endpoints
• NNTP, IMAP, POP3, and SSH protocol implementations
• The MCP server endpoint
• Authentication bypass, injection, or data integrity issues
• TLS configuration weaknesses

Out of scope:

• Content of archived emails (these are public records mirrored from postgresql.org)
• Denial of service attacks (please don't test these)
• Social engineering
• Third-party services (Cloudflare, Exoscale, Codeberg)

SECURITY ARCHITECTURE

• All protocols are read-only — no user-submitted content is accepted
• No accounts, passwords, sessions, or authentication tokens exist
• No personal data is stored (see Privacy)
• TLS via Let's Encrypt with DNS-01 validation
• Rate limiting on all endpoints
• Fail2ban for brute-force protection
• NixOS with mandatory access controls and minimal attack surface

MACHINE-READABLE

For automated tools: /.well-known/security.txt (RFC 9116)