Loading page content...
35mm film photographer from Texas, shooting on a Minolta X-700.
This is a photography portfolio — no logins, no payments, no user data beyond a contact form. But if you find something broken or exploitable, I'd like to know.
Found a vulnerability? Email josh@joshozuna.com with a description of the issue, steps to reproduce, and any supporting evidence. I usually respond within 48 hours.
I ask that you give me reasonable time to address the issue before disclosing it publicly. I will acknowledge receipt and provide updates as I work through the fix.
The following are in scope for responsible disclosure: joshozuna.com and its subdomains, the public API at /api/photos, and the contact form submission endpoint.
Out of scope: third-party services (Cloudinary, Vercel, Umami), social media accounts, and denial-of-service testing.
All traffic is served over HTTPS with TLS 1.3. The site enforces HSTS (HTTP Strict Transport Security) with a max-age of two years, including subdomains, and is submitted to the HSTS preload list. Insecure requests are automatically upgraded.
The site uses a strict Content Security Policy that restricts scripts, styles, images, and connections to explicitly trusted origins. Framing is denied via X-Frame-Options, content sniffing is blocked, and cross-origin policies are enforced. Rate limiting is applied to all form submissions and API endpoints to prevent abuse.
If you need to send sensitive information, you can encrypt your message using my PGP key.
Nobody's found anything yet. Either the site is solid or nobody's looking.
See also the privacy policy for information about data collection, and image use & licensing for usage rights.
last updated: march 2026