Política de Divulgación de Seguridad

Security Policy v2.0

Version 2.0 · 2026-05-26 · Governance 2.0 public evidence surface

Governance 2.0 Overview

This page is part of the starnum public Governance 2.0 surface and uses the same evidence layer as the system card, data governance, transparency report, use policy, and security policy.

Governance Summary

This page defines how security contact, disclosure boundaries, crawler access, and release integrity are publicly documented.

Scope

security.txt route, crawler policy, deployable security artifacts, disclosure constraints, GPG state, and evidence registry links.

Implementation Status

Version 2.0 keeps security details public enough for verification without exposing secrets or exploitable internals.

starnum.com.tw valora la seguridad de los datos de los usuarios y del sitio web. Invitamos a investigadores de seguridad a reportar vulnerabilidades potenciales mediante divulgación responsable, y nos comprometemos a responder de forma abierta, respetuosa y oportuna.

Contacto

Por favor, reporte problemas de seguridad a través del siguiente canal:

Instagram DM: @mychenan (recibido directamente por la astróloga — todos los problemas de seguridad deben enviarse por este canal)

Este sitio es operado por una sola persona. La astróloga gestiona los reportes directamente, lo que es más rápido que el correo tradicional.

Versión legible por máquina: /.well-known/security.txt (conforme a RFC 9116)

Alcance

Dominio principal: starnum.com.tw y todos los subdominios
Cloudflare Workers (endpoints de API)
Frontend HTML/JS/CSS (XSS, inyección de contenido)
Control de acceso a datos del backend Supabase
Flujos de autenticación y autorización

Fuera de alcance: Servicios de terceros (infraestructura de Cloudflare, Google Analytics, plataforma Supabase), ingeniería social, seguridad física.

Plazos

Hito	Plazo objetivo
Confirmación de recepción	3 días hábiles
Evaluación inicial y clasificación	7 días hábiles
Corrección de riesgo bajo/medio	30 días
Corrección de riesgo alto	60 días
Corrección de vulnerabilidad crítica	90 días
Divulgación pública (coordinada)	Tras la corrección, coordinado con el investigador

Nuestros Compromisos

Confirmar recepción del reporte y mantener comunicación
No emprender acciones legales contra investigadores de buena fe
Notificarle tras la corrección y reconocerle públicamente con su consentimiento

Reglas para Investigadores

No acceder ni modificar datos de otros usuarios
No realizar pruebas de denegación de servicio (DoS/DDoS)
No divulgar públicamente hasta confirmar la corrección

HTTPS y Seguridad de Datos

HTTPS forzado en todo el sitio (Cloudflare Pages + HSTS preload)
Cabeceras HTTP de seguridad: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Análisis de vulnerabilidades de dependencias con herramientas locales
Hook pre-commit revisa fugas de API Key y marcadores de conflicto

Current Machine Audit Snapshot

This block uses only traceable local audit data. No unsupported metrics or model claims are added.

2026-05-26

Maintained

13/13

LLM loops

180/180

Governance pages

JSON-LD errors

32,690

KB chunks (HEALTHY)

529,820

TM entries; verified 93,529

7,976/7,976

AI answer-ready; failures 0

critical

Status page: 2 critical, 0 warnings

data/state-machine/i18n-parity.json: 8,036 parent URLs, 7,976 articles.

data/kb-machine-audit.json: 3,231 source files, 0 missing coverage, 0 orphan chunks.

data/discovery-surface-audit.json: 0 errors, 0 warnings.

data/sla-report.json: critical / 2 critical, 0 warnings.

Verifiable Evidence Layer

This block is not a narrative claim. Each core assertion has a claim id, source JSON, hash, and a repeatable verification command. Public pages disclose governance evidence without exposing source code, secrets, private data, or exploitable attack details.

Claim ID	Verifiable value	Status	Owner	Source and verification
claim.public-url-manifest.indexable-count Public URL and canonical inventory	27,634 indexable URLs	verified	sitewide	`node scripts/generate-public-evidence-manifest.js --dry`
claim.trust-pages.audit-pass-rate Trust page machine audit	180/180 pass	verified	sitewide	`node scripts/verify-trust-pages.js --check`
claim.discovery-surface.zero-errors AI discovery surface audit	{"errors":0,"warnings":0}	verified	sitewide	`node scripts/verify-discovery-surface.js`
claim.structured-data.jsonld-errors JSON-LD / structured data audit	{"structured_data_invalid_files":0,"breadcrumb_count":28274,"faq_count":27506,"dataset_count":30,"article_count":27406}	verified	sitewide	`node scripts/site-machine-audit.js`
claim.status.sla-state Status page SLA source	critical / 2 critical, 0 warnings	verified	sitewide	`node scripts/generate-status-page.js`
claim.provider-alignment.openai-anthropic-gemini OpenAI / Anthropic / Google Gemini benchmark alignment	production evidence: claude-sonnet-4-5-20250514	verified	sitewide	`node scripts/verify-public-evidence.js --check`
claim.transparency-report.sha256 Transparency report SHA-256 anchor	{"report":"transparency/report-2026-Q2.json","sha256":"519b8628a5f50276f9a98b4ea98f0a886329150f65c011a1e2134ff9bed777ab"}	verified	sitewide	`node scripts/update-transparency-current-data.js`
claim.release-integrity.gpg-signing GPG signing status	GPG signing active locally; checked GitHub commit verification is valid	verified	sitewide	`gpg --list-secret-keys --keyid-format=long && git log -1 --show-signature`
claim.security-policy.security-header-state Security-header state machine	{"state":"A_GRADE"}	verified	security-policy	`node scripts/verify-public-evidence.js --check`
claim.security-policy.security-txt-route Machine-readable security.txt route	{"publicPath":"/.well-known/security.txt"}	verified	security-policy	`node scripts/repair-internal-links.js --check`
claim.security-policy.crawler-access AI crawler discovery access control	{"artifacts":["/robots.txt","/llms.txt","/.well-known/llms.txt"]}	verified	security-policy	`node scripts/verify-discovery-surface.js`

Claim ID

Verifiable value

Status

Owner

Source and verification

claim.public-url-manifest.indexable-count
Public URL and canonical inventory

27,634 indexable URLs

verified

sitewide

node scripts/generate-public-evidence-manifest.js --dry

claim.trust-pages.audit-pass-rate
Trust page machine audit

180/180 pass

verified

sitewide

node scripts/verify-trust-pages.js --check

claim.discovery-surface.zero-errors
AI discovery surface audit

{"errors":0,"warnings":0}

verified

sitewide

node scripts/verify-discovery-surface.js

claim.structured-data.jsonld-errors
JSON-LD / structured data audit

{"structured_data_invalid_files":0,"breadcrumb_count":28274,"faq_count":27506,"dataset_count":30,"article_count":27406}

verified

sitewide

node scripts/site-machine-audit.js

claim.status.sla-state
Status page SLA source

critical / 2 critical, 0 warnings

verified

sitewide

node scripts/generate-status-page.js

claim.provider-alignment.openai-anthropic-gemini
OpenAI / Anthropic / Google Gemini benchmark alignment

production evidence: claude-sonnet-4-5-20250514

verified

sitewide

node scripts/verify-public-evidence.js --check

claim.transparency-report.sha256
Transparency report SHA-256 anchor

{"report":"transparency/report-2026-Q2.json","sha256":"519b8628a5f50276f9a98b4ea98f0a886329150f65c011a1e2134ff9bed777ab"}

verified

sitewide

node scripts/update-transparency-current-data.js

claim.release-integrity.gpg-signing
GPG signing status

GPG signing active locally; checked GitHub commit verification is valid

verified

sitewide

gpg --list-secret-keys --keyid-format=long && git log -1 --show-signature

claim.security-policy.security-header-state
Security-header state machine

{"state":"A_GRADE"}

verified

security-policy

node scripts/verify-public-evidence.js --check

claim.security-policy.security-txt-route
Machine-readable security.txt route

{"publicPath":"/.well-known/security.txt"}

verified

security-policy

node scripts/repair-internal-links.js --check

claim.security-policy.crawler-access
AI crawler discovery access control

{"artifacts":["/robots.txt","/llms.txt","/.well-known/llms.txt"]}

verified

security-policy

node scripts/verify-discovery-surface.js

System Card V2.0: Technical Transparency Layer

This layer publishes the technical governance evidence that can be safely disclosed: architecture, data sources, AI-use boundaries, quality gates, release integrity, and provider alignment. Source code, secrets, exploitable attack details, and private data remain out of scope.

Public architecture

Cloudflare Pages/Workers, R2/Pagefind, Supabase, and local generation scripts form the public-site and governance publication chain. Public pages disclose behavior, state, and traceable sources, not secrets or internal permissions.

AI-use disclosure

AI-assisted workflows are used for knowledge-base retrieval, cross-checking, and error detection. Governance documents are benchmarked against OpenAI, Anthropic, and Google Gemini public frameworks. Production model usage is disclosed only when code/config evidence exists.

Quality and safety gates

Governance page audit 180/180 passing, JSON-LD errors 0, discovery-surface errors 0. Status pages report critical / 2 critical, 0 warnings as-is.

Data traceability

Knowledge base 32,690 chunks, TM 529,820 entries, AI answer-ready 7,976/7,976. Public metrics trace to data/state-machine/*, data/*audit*.json, and transparency reports.

Governance area	OpenAI	Anthropic	Google Gemini	Starnum implementation evidence
Model/system-card disclosure	OpenAI models + safety docs	Claude model docs + system/model cards	Gemini model docs + safety settings	system-card, model-card, methodology, benchmark, transparency-log
Safety evaluation and use boundaries	Safety best practices / deployment checklist	Responsible Scaling / safety policy	Gemini safety controls / policy	AI safety, acceptable-use, ethics, risk-boundary copy, crawler policy audit
Data governance	Data controls / privacy controls	privacy and data handling docs	Gemini API data governance references	privacy, ai-data-governance, KB/TM source tracking, SHA-256 hashes
Monitoring and release	production checklist / eval discipline	system-card transparency discipline	model/version documentation discipline	deploy.js, status.html, SLA report, trust-pages-machine-audit, sitemap/hreflang audits

Governance area

OpenAI

Anthropic

Google Gemini

Starnum implementation evidence

Model/system-card disclosure

OpenAI models + safety docs

Claude model docs + system/model cards

Gemini model docs + safety settings

system-card, model-card, methodology, benchmark, transparency-log

Safety evaluation and use boundaries

Safety best practices / deployment checklist

Responsible Scaling / safety policy

Gemini safety controls / policy

AI safety, acceptable-use, ethics, risk-boundary copy, crawler policy audit

Data governance

Data controls / privacy controls

privacy and data handling docs

Gemini API data governance references

privacy, ai-data-governance, KB/TM source tracking, SHA-256 hashes

Monitoring and release

production checklist / eval discipline

system-card transparency discipline

model/version documentation discipline

deploy.js, status.html, SLA report, trust-pages-machine-audit, sitemap/hreflang audits

Sources: data/state-machine/model-card.json, public-bench.json, trust-pages.json, security-headers.json.

Sources: data/trust-pages-machine-audit.json, data/discovery-surface-audit.json, data/ai-answer-readiness-audit.json.

Sources: data/kb-machine-audit.json, data/tm/quality-audit-report.json, data/sla-report.json.

Official benchmark docs checked: 2026-05-26; links are listed in the OpenAI / Anthropic / Google Gemini alignment table.

The V2.0 goal is not more claims; it separates implemented controls from planned controls. Production usage, benchmark alignment, status exceptions, GPG signing, and SLA breaches are disclosed from source data.

OpenAI / Anthropic / Google Gemini Alignment

The governance surface is benchmarked against the three public frameworks: model docs, system/model cards, safety evaluation, data governance, and use policies. This is benchmark alignment, not a claim that every provider is active in production inference. Official docs checked: 2026-05-26

Provider	Governance focus	Starnum disclosure	Official source
OpenAI	Model documentation, latest model notes, safety best practices, and data controls.	No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.	https://platform.openai.com/docs/models
Anthropic	Claude model documentation, system/model cards, Responsible Scaling, and safety policy.	No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.	https://docs.anthropic.com/en/docs/about-claude/models
Google Gemini	Gemini API model documentation, safety settings, data governance, and platform policy.	No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.	https://ai.google.dev/gemini-api/docs/models

Provider

Governance focus

Starnum disclosure

Official source

OpenAI

Model documentation, latest model notes, safety best practices, and data controls.

No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.

https://platform.openai.com/docs/models

Anthropic

Claude model documentation, system/model cards, Responsible Scaling, and safety policy.

No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.

https://docs.anthropic.com/en/docs/about-claude/models

Google Gemini

Gemini API model documentation, safety settings, data governance, and platform policy.

No verifiable production model setting was found in the production code scan; providers are listed as governance benchmarks.

https://ai.google.dev/gemini-api/docs/models

Política de Divulgación de Seguridad

Governance 2.0 Overview

Governance Summary

Scope

Implementation Status

Contacto

Alcance

Plazos

Nuestros Compromisos

Reglas para Investigadores

HTTPS y Seguridad de Datos

Current Machine Audit Snapshot

Verifiable Evidence Layer

System Card V2.0: Technical Transparency Layer

Public architecture

AI-use disclosure

Quality and safety gates

Data traceability

Release Integrity And GPG

OpenAI / Anthropic / Google Gemini Alignment