Security statement
Last updated: July 11, 2026. Draft — review with legal counsel before publication.
Our approach
This website is a static build with a small PHP contact endpoint. Our security posture is documented in the repository SECURITY.md, SECURITY-HEADERS.md, and DEPLOYMENT-SECURITY-CHECKLIST.md.
What we do
- HTTPS-only, with security headers set at the web-server layer.
- No API keys or SMTP credentials in client JavaScript, JSON, or the public bundle.
- Server-side input validation on the contact endpoint, honeypot, and rate-limit.
- Minimal third-party JavaScript. No advertising trackers.
- Dependency versions are locked and audited before each deployment.
Report a vulnerability
Please email official@trendandbrands.com with the URL, steps to reproduce, and any proof-of-concept. We aim to acknowledge reports within two business days.
We ask that researchers act in good faith: no data exfiltration beyond what is needed to demonstrate the issue, no service disruption, and no automated scanning that affects real users.
Contact channel
A machine-readable disclosure policy is available at /.well-known/security.txt.