Security posture & threat model.
A site that writes about DevSecOps and AI security should be willing to show its own posture — including its threat model, the scanner grades that any reader can verify, the responsible-disclosure path, and the honest limits of the stack.
SSL Labs grade
Independent TLS configuration scan. Verifies cipher suite, chain, HSTS, OCSP stapling.
Run live scan →Mozilla Observatory
HTTP header configuration: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Run live scan →securityheaders.com
Scott Helme’s header grader. Public, independent, well-known.
Run live scan →HardenedSecurity
DNSSEC, SPF, DMARC, DKIM, CAA — the email and DNS-layer postures most often ignored.
Run live scan →Each link runs a fresh scan. Trust the scanner over my published claim.
Live configuration — what is and isn’t enforced.
The honest threat model.
What this site is and isn’t exposed to, written as a practitioner would for a real product.
In scope
- Domain compromise. Mitigated by: 2FA on registrar + GitHub. CAA record where supported.
- GitHub account compromise. Mitigated by: hardware FA, signed commits, branch protection on main, GitHub-managed deploy keys only.
- Supply-chain compromise of fonts / scripts. Mitigated by: small surface (Google Fonts only, served from googleapis.com), no third-party JS at load time.
- Phishing impersonation. Mitigated by: SPF + DMARC on the domain’s email; clear canonical URL; same-origin links throughout.
- Cross-site embedding. Practical impact low (static content); X-Frame-Options not enforceable on Pages.
Out of scope
- Server-side compromise. No server-side rendering or APIs — nothing to compromise on this side.
- Data exfiltration. No user data collected.
- Auth / session compromise. No authenticated routes.
- Stored XSS. No user input persisted.
Known limits
- No strict CSP. GitHub Pages doesn’t expose response-header customisation. The
vercel.jsonin the repo carries the CSP that would apply if redeployed. Today, CSP is not enforced. - No HSTS preload. Edge enforces HTTPS but the preload list requires custom-CDN deployment.
- Reflected XSS via URL hash. Diagnostic + calculator pages read URL-hash for shareability. Hash content is treated as untrusted and validated against an integer pattern before use.
Responsible disclosure.
Found a security issue with this site, or with the opa-nist-ai-rmf OSS repo? Please report it to contact@hellouchit.com. Reasonable, no-paywall disclosure timeline:
- Acknowledgement within 72 hours.
- Triage + fix plan within 7 days for confirmed issues.
- Fix within 30 days for non-critical, 7 days for critical.
- Public credit on this page on request, with the reporter’s preferred attribution.
For OSS code, you can also raise a private security advisory via the GitHub repo’s Security tab.
There is no paid bug-bounty for this site or the OSS repos. There is genuine appreciation — and public credit — for responsible disclosure.
OSS supply-chain posture (opa-nist-ai-rmf).
- License — MIT, explicit in repo root.
- CI — GitHub Actions runs
opa teston every push; green badge in README. - Branch protection —
mainprotected; PR review required for material change. - Dependencies — zero. The policy is pure Rego; the only runtime dependency is OPA itself.
- Signed commits — configured at the GitHub account level.
- SBOM — no third-party packages to inventory; trivial repo SBOM available on request.
Companion.
Performance, asset-weight and operational posture live at /observability. The two pages together are the “practising what we preach” surface.