Scope
bersec.meand its subdomains- Open-source projects under this identity (GitHub repos linked from this site)
Contact
- Email: contact@bersec.me (Proton — end-to-end)
- LinkedIn: linkedin.com/in/rafael-gacek
- Machine-readable: /.well-known/security.txt (RFC 9116)
What helps in a report
- URL / asset, version, reproducible PoC (steps, payload, HTTP request)
- Impact assessment: confidentiality / integrity / availability
- Your contact info if you want credit
Rules
- Good-faith research — testers acting within this policy will not face legal action from me.
- No DoS, no social engineering against third parties, no data destruction.
- Do not test the infrastructure of clients I work with — only the target defined above.
- Public disclosure after agreed timing (default: 90 days or after the fix ships, whichever comes first).
Response time
- First response: within 3 business days.
- Triage and status: within 7 days.
- Fix / close-out: severity-dependent.
Credit
On request I'll publish credit (hall of fame / blog) after the report is closed.