If you find a bug, here's how to tell us.

1. What we do today

• HTTPS-only via surge.sh

  Every page on wallbed-hk.com is served over HTTPS. HTTP requests are redirected. The TLS certificate is managed by surge.sh; we do not control its rotation but it is renewed automatically.

• No third-party trackers active

  The chat-widget JS has placeholder slots for Google Analytics 4 and Meta Pixel — but no tracking ID is currently deployed. Whenever we activate one, we update /partners.html and /privacy.html the same day.

• EXIF metadata stripped on all images

  Per /photo-policy.html: every install image has GPS, device serial, and capture timestamp removed before web upload. No customer-identifying metadata leaks via image files.

• rel="noopener" enforced via deploy gate

  Every <a target="_blank"> on the site declares rel="noopener" to prevent tabnabbing — verified automatically by deploy step [3.897/4]. The gate fails if any new link forgets it.

• Customer data minimisation

  We collect only what's needed for warranty fulfilment + statutory record-keeping. Detail at /privacy.html. Data retention: warranty expiry + 1 year, or earlier on customer request.

• No customer data on this static site

  Customer contracts, install photos awaiting consent, internal logs — none of these live on the public web. They are held offline. The only customer-sourced content on this domain is the gallery photos with signed releases.

2. What we don't yet do

• Content Security Policy (CSP) header

  surge.sh's static hosting doesn't let us set custom HTTP response headers easily. We use Tailwind CDN + Google Fonts CDN; a strict CSP would currently block them. Migration to a host that supports custom headers is on the roadmap.

• Subresource Integrity (SRI)

  Tailwind CDN and Google Fonts script tags don't currently use SRI hashes. If either CDN were compromised, content could be injected. Mitigated by the absence of customer-input fields on the site (no forms, no logins) but it's a real gap.

• Cyber-insurance coverage

  We don't carry cyber insurance — see /insurance.html for why (data minimisation reduces the dataset size to a manageable risk).

3. Responsible disclosure — how to report a bug

1. Email security@wallbed-hk.com with the subject line "SECURITY" + a one-line summary.
2. Describe what you found, the URL/file, and ideally a proof-of-concept.
3. We will acknowledge within 1 working day.
4. We will provide a fix ETA within 5 working days. Critical issues (information disclosure of customer data, content injection) get same-day attention.
5. You can request public credit when we publish the fix in the Trust Scorecard "what we got wrong" section. We will not threaten or restrict legitimate security research.

4. Out of scope

• Surge.sh platform-level vulnerabilities (report to surge.sh).
• Tailwind CDN, Google Fonts CDN — third-party services we use.
• Issues that require physical access to our showroom or office equipment.
• Social engineering of our staff.
• Volumetric attacks (DoS / DDoS) — we accept whatever surge.sh edge protection provides.

5. security.txt

The standard /.well-known/security.txt file linking to this page is on the roadmap. Until it's deployed, this page is the canonical reference and the email address above is the contact.