• I’m just one guy, and I don’t make any money from my websites, so I’m afraid there’s no bug/vulnerability bounty. I can also be quite slow to respond because I have a full-time day job.
• I don’t consider having XML-RPC or the WordPress API enabled for WordPress a vulnerability, so please don’t report it.
• I don’t look after https://tumblr.gothick.org.uk. Tumblr does. If you spot anything there, that’s their problem.
• I don’t consider having the Google Maps API key in my Javascript a vulnerability either. Embedding the API key in source code is literally the only way to have the Google Maps API work, and is Google’s recommended practice for using Google Maps. It’s fine. Take a chill pill.
• I’ll consider most other things on a case-by-case basis. If you’ve found a real problem, at least you’ll get into my Security Hall of Fame.

Thanks!