Responsible Disclosure Policy
Security researchers are welcome here. If you have found a vulnerability in antoniobrundo.org, I invite you to report it privately and in good faith. This policy sets out how to reach me, what to expect in return, and the coordinated-disclosure process I follow so that issues get fixed before they are made public.
Reporting a vulnerability
Please send your report by email to security@antoniobrundo.org. If your report contains sensitive details — proof-of-concept payloads, captured data, or step-by-step exploitation — I encourage you to encrypt them or share them through a secure channel; mention in your first message that you would like a key or a secure link.
To help me triage and reproduce the issue quickly, a good report includes:
- The affected URL, endpoint, or component.
- Clear, minimal steps to reproduce the issue.
- The security impact you believe it has, and any prerequisites.
- Supporting evidence — a proof of concept, request/response captures, or screenshots.
A machine-readable version of this contact information is published at /.well-known/security.txt, following RFC 9116.
I commit to acknowledging every good-faith report within 3 business days, keeping you informed as I investigate, and letting you know when the issue has been resolved.
Guidelines
Coordinated disclosure works when researchers and operators both act responsibly. When testing, please:
Act in good faith, and only interact with accounts and data that belong to you or that you have explicit permission to use. Do not access, modify, delete, or exfiltrate data that is not yours — stop as soon as you have confirmed a vulnerability exists. Avoid actions that degrade service: no denial-of-service or volumetric testing, no spam, no automated scanning that impairs availability. No social engineering, phishing of staff or users, and no physical attacks against infrastructure. Give me a reasonable period to investigate and remediate before disclosing any details publicly, and coordinate the timing of any publication with me. Comply with all applicable laws, and keep any information about the vulnerability confidential until it is resolved.
Scope
In scope: the antoniobrundo.org web property and its subdomains — the pages, assets, and services hosted under that domain.
Out of scope:
- Third-party services, platforms, and vendors that are not operated by me (report those to the respective provider).
- Volumetric or distributed denial-of-service attacks and any load/stress testing.
- Best-practice or informational reports without a demonstrated, exploitable security impact (for example, missing headers, TLS configuration preferences, or automated scanner output on their own).
- Spam, social engineering, and phishing.
If you are unsure whether something is in scope, ask before you test — I would rather answer a question than see well-intentioned research go sideways.
Safe harbor
I consider security research conducted in good faith and in accordance with this policy to be authorized. If you follow these guidelines, I will not pursue or support legal action against you for your research, and I will not report your activity to law enforcement. Should a third party bring action against you for work that complied with this policy, I will make it known that your research was authorized.
This safe harbor applies only to conduct that stays within the guidelines and scope above. If in doubt about whether a specific action is permitted, contact me first at security@antoniobrundo.org and ask.
Report a vulnerability
Found something? Send a good-faith report and I will get back to you within 3 business days.
Email the security contact Back to Security