Security Policy
Please note that this program does not offer rewards for bug submissions as diegomunozbeltran.com is just a small personal website.
This disclosure program is limited to assets in the scope found at the bottom of this page.
Things To Look For
- Web application vulnerabilities (Command Injection, SSRF, CSRF, XSS, etc)
- Security misconfigurations
- Suggested security improvements
- Information leakage
- Multi-byte/binary exploitation
- Tor Hidden Service de-anonymization
- Security header configurations
- Content Security Policy (CSP) bypass
- DNS record configuration (SPF, DKIM, DMARC, CAA, etc)
- TLS configuration
- Code security audit/review
- Software that is more than 24 hours out of date
- Etc…
Feel free to use automated tools as long as you do not cause network/service disruption for me or third-parties.
Testing must not cause issues for other organisations such as hosting providers, network operators or ISPs (e.g. Cloudflare).
Disclosure Policy
- Let me know of any potential vulnerabilities as soon as possible and I will make every effort to resolve the issue quickly.
- Share with me the full details of any vulnerability including steps to reproduce if applicable.
- Provide me a reasonable amount of time to fix the issue before disclosure to the public or a third-party.
- Try to avoid degradation of service, destruction of data or privacy violations.
While researching, please do not attempt the following:
- Denial of service (DoS)
- Spamming
- Phishing
- Spoofing or hijacking
- Man in the Middle (MitM) or interception
- Attacks which require physical presence on the network of a user
- Domain name hijacking or theft
- Account hijacking or theft
- Cybersquatting
- Social engineering
- Physical/real-life attacks
- Anything that could falsely lower the reputation of me or my website
- Anything that could falsely get me in trouble
- Attacks on 3rd-party systems that are out of my general control
Rewards
Please note that this program does not provide monetary rewards for bug submissions.
Researchers who submit non-issues, false issues or purely opinion-based issues may not be thanked publicly.
Thank you for helping keep diegomunozbeltran.com safe!