Security

Responsible Disclosure Policy

Security researchers are welcome here. If you have found a vulnerability in antoniobrundo.org, I invite you to report it privately and in good faith. This policy sets out how to reach me, what to expect in return, and the coordinated-disclosure process I follow so that issues get fixed before they are made public.

Reporting a vulnerability

Please send your report by email to security@antoniobrundo.org. If your report contains sensitive details — proof-of-concept payloads, captured data, or step-by-step exploitation — I encourage you to encrypt them or share them through a secure channel; mention in your first message that you would like a key or a secure link.

To help me triage and reproduce the issue quickly, a good report includes:

  • The affected URL, endpoint, or component.
  • Clear, minimal steps to reproduce the issue.
  • The security impact you believe it has, and any prerequisites.
  • Supporting evidence — a proof of concept, request/response captures, or screenshots.

A machine-readable version of this contact information is published at /.well-known/security.txt, following RFC 9116.

I commit to acknowledging every good-faith report within 3 business days, keeping you informed as I investigate, and letting you know when the issue has been resolved.

Guidelines

Coordinated disclosure works when researchers and operators both act responsibly. When testing, please:

  • Act in good faith, and only interact with accounts and data that belong to you or that you have explicit permission to use.
  • Do not access, modify, delete, or exfiltrate data that is not yours — stop as soon as you have confirmed a vulnerability exists.
  • Avoid actions that degrade service: no denial-of-service or volumetric testing, no spam, no automated scanning that impairs availability.
  • No social engineering, phishing of staff or users, and no physical attacks against infrastructure.
  • Give me a reasonable period to investigate and remediate before disclosing any details publicly, and coordinate the timing of any publication with me.
  • Comply with all applicable laws, and keep any information about the vulnerability confidential until it is resolved.

Scope

In scope: the antoniobrundo.org web property and its subdomains — the pages, assets, and services hosted under that domain.

Out of scope:

  • Third-party services, platforms, and vendors that are not operated by me (report those to the respective provider).
  • Volumetric or distributed denial-of-service attacks and any load/stress testing.
  • Best-practice or informational reports without a demonstrated, exploitable security impact (for example, missing headers, TLS configuration preferences, or automated scanner output on their own).
  • Spam, social engineering, and phishing.

If you are unsure whether something is in scope, ask before you test — I would rather answer a question than see well-intentioned research go sideways.

Safe harbor

I consider security research conducted in good faith and in accordance with this policy to be authorized. If you follow these guidelines, I will not pursue or support legal action against you for your research, and I will not report your activity to law enforcement. Should a third party bring action against you for work that complied with this policy, I will make it known that your research was authorized.

This safe harbor applies only to conduct that stays within the guidelines and scope above. If in doubt about whether a specific action is permitted, contact me first at security@antoniobrundo.org and ask.

No paid bug bounty: there is currently no monetary reward program for this site. What I do offer is genuine recognition — I am glad to publicly acknowledge and credit researchers who responsibly report valid, novel vulnerabilities, if you would like that. Please report because it is the right thing to do, not for a specific reward.

Report a vulnerability

Found something? Send a good-faith report and I will get back to you within 3 business days.

Email the security contact Back to Security