Security at CodeFellow
How we protect this website and our clients' systems — and how to contact us if you find a vulnerability.
How we secure this website
HTTPS everywhere
All traffic is served over TLS 1.2+. HTTP requests are permanently redirected to HTTPS. HSTS is enforced.
Edge-native deployment
Deployed on Cloudflare Workers, which provides DDoS mitigation, WAF, and bot management at the network edge.
Minimal data retention
We collect only what is necessary. Contact form submissions are forwarded to internal tooling and not stored in a public database.
Dependency management
Dependencies are pinned and audited. We run automated vulnerability scanning on every build via npm audit.
Found a vulnerability?
We appreciate the work of security researchers. If you believe you have found a security vulnerability in code-fellow.com or any system we operate, please disclose it to us responsibly.
We ask that you give us a reasonable amount of time to investigate and address the issue before public disclosure. We commit to working with you in good faith and will not pursue legal action against researchers who follow these guidelines.
What to include in your report
- —Description of the vulnerability and its potential impact
- —Steps to reproduce (including URLs, payloads, or proof-of-concept code)
- —The system or endpoint affected
- —Your contact information for follow-up
Response timeline
Report a vulnerability
Send your report to our security email address. We read every submission.
Email security reportScope
In scope: Vulnerabilities in code-fellow.com and any subdomain we operate, including API endpoints and edge functions.
Out of scope: Vulnerabilities in third-party services we use (Cloudflare, etc.), social engineering attacks, physical security, denial-of-service attacks, and issues that require unlikely levels of user interaction.
Please do not: Access, modify, or delete data belonging to others; perform denial-of-service testing; or use automated scanners without prior written permission.