W.R.A.A.S. is a static joke site hosted on GitHub Pages. It has no backend, no database, no user accounts, and no server-side processing. The attack surface is limited to:

• Client-side HTML, CSS, and JavaScript served from wraas.github.io
• Third-party scripts (GoatCounter analytics via gc.zgo.at)
• GitHub Actions CI/CD workflows

Only the latest version deployed to main is supported. There are no versioned releases.

If you discover a security issue, please report it privately:

• Email: romain.lespinasse@gmail.com
• GitHub: Open a private security advisory

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact

You should receive an acknowledgment within 48 hours. Please do not open a public issue for security vulnerabilities.

All third-party scripts are loaded with integrity and crossorigin attributes to prevent execution of tampered code. A daily CI workflow (check-sri.yaml) verifies that SRI hashes are current and opens a PR if they need updating.

All GitHub Actions are pinned to specific commit SHAs rather than mutable tags, preventing compromised or hijacked actions from running in CI. See the CI Workflows Reference for the full list of pinned versions.

The site collects no personal data, stores no credentials, and uses no cookies. Analytics are handled by GoatCounter, a privacy-respecting service that does not track individual users.

The /.well-known/security.txt file on the live site is an easter egg — it is part of the rickroll. For actual security matters, use the contact methods listed above.