skip to content

$ cat ./security

Responsible Disclosure Policy — bersec.me

Scope

  • bersec.me and its subdomains
  • Open-source projects under this identity (GitHub repos linked from this site)

Contact

What helps in a report

  • URL / asset, version, reproducible PoC (steps, payload, HTTP request)
  • Impact assessment: confidentiality / integrity / availability
  • Your contact info if you want credit

Rules

  • Good-faith research — testers acting within this policy will not face legal action from me.
  • No DoS, no social engineering against third parties, no data destruction.
  • Do not test the infrastructure of clients I work with — only the target defined above.
  • Public disclosure after agreed timing (default: 90 days or after the fix ships, whichever comes first).

Response time

  • First response: within 3 business days.
  • Triage and status: within 7 days.
  • Fix / close-out: severity-dependent.

Credit

On request I'll publish credit (hall of fame / blog) after the report is closed.