Found a hole in the site or data? Open a private security advisory on GitHub. I'll reply when I can; no SLA promised for a hobby research repo.

• Don't paste stack traces with real data in public issues.
• The site is fully static — there's no server-side code to attack. Frontend XSS / CSP issues are the only meaningful attack surface.
• The raw exam data is not in this repo, so don't bother asking for it.

• Third-party CDN / font services (Google Fonts, jsDelivr, etc).
• Theoretical concerns without a PoC.