Testing boundary
Keep reports limited and useful.
- Limit testing to the public site.
- Do not exfiltrate data, bypass identity controls, or persist beyond the minimum needed to confirm the issue.
- Do not submit private infrastructure screenshots, credentials, or sensitive client records.
- Include the affected URL, observed behavior, browser or tool context, and a safe reproduction summary.