michalspacek.cz + michalspacek.com + subdomains source code because why not
I believe your threat model should include a scenario when somebody gains access to your code repository, and having my source code publicly available helps me to keep that in mind and apply mitigations before it's too late. Plus sometimes, I want to show the code of some of the tricks used on my site and this makes it far easier.
If you find a bug please file a new issue or let me know. I don't offer bounties for security bugs but I'll buy you a beer or make a donation to a charity of your choice (which you can then match if you want). You can find my contacts for example in security.txt (what's that?) or elsewhere.
Everything is open source if you have the right access.