VULNERABILITY DISCLOSURE POLICY

1. Commitment to Security

Andri.is is committed to the security of my services and data. I value the contributions of the independent security research community in helping me maintain a secure environment. If you believe you have discovered a security vulnerability, I encourage you to report it to me responsibly and in accordance with this policy.

2. Authorization and Safe Harbor

I consider security research and vulnerability disclosure activities conducted in accordance with this policy to be "authorized" conduct. I will not pursue civil or criminal action, or notify law enforcement, for accidental or good-faith violations of this policy. I waive any potential claims against you for circumventing technological measures used to protect the systems in scope of this policy. If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, I will make this authorization known.

3. Scope

In-Scope Systems:

• https://andri.is
• Any subdomains of andri.is (e.g., *.andri.is)

Out-of-Scope Systems:

Any third-party systems or services used by Andri.is (e.g., hosting provider infrastructure, external APIs, integrated SaaS platforms). Vulnerabilities discovered in these systems should be reported to the respective vendor according to their disclosure policy.

Out-of-Scope Vulnerabilities:

The following issues are considered out of scope:

• Reports from automated scanners or tools without a detailed, manual proof-of-concept. (Exception for Aftra)
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
• Missing security best practices (e.g., missing security headers, weak SSL/TLS cipher suites) without a demonstrated, exploitable vulnerability.
• Self-XSS (Cross-Site Scripting) that cannot be used to attack other users.
• Clickjacking on pages with no sensitive actions.
• Spam or social engineering techniques.
• Publicly known software vulnerabilities (CVEs) that have been public for less than 60 days.

4. Rules of Engagement

When conducting your research, you must not:

• Engage in any activity that could be disruptive, damaging, or harmful to the performance or availability of my services.
• View, access, modify, exfiltrate, or store any data that does not belong to you.
• Perform social engineering (e.g., phishing), or physical attacks.
• Introduce malicious software or code.

You must:

• Notify me as soon as possible after discovering a real or potential security issue.
• Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of my service.
• Stop testing and report immediately if you encounter any sensitive or personal data. Purge all local copies of the data upon reporting.
• Use exploits only to the extent necessary to confirm a vulnerability's presence.

5. Reporting Process

What to Include:

To help me validate and prioritize your submission, please include the following in your report:

• A detailed description of the vulnerability and its potential impact.
• Clear, step-by-step instructions to reproduce the issue, including any URLs or parameters involved.
• Any proof-of-concept scripts, screenshots, or videos that demonstrate the vulnerability.

Reports may be submitted anonymously.

6. Our Response Commitment

When you choose to share your contact information, I commit to the following:

• I will make a best effort to acknowledge receipt of your report within 3 business days.
• I will do my best to confirm the existence of the vulnerability and provide you with periodic updates on my remediation progress.
• I ask that you provide a reasonable amount of time (e.g., 90 days from acknowledgment) to resolve the issue before any public disclosure.

7. Recognition

I do not offer monetary rewards (bug bounties) for reported vulnerabilities. However, for valid reports that are submitted in accordance with this policy, I am happy to provide public recognition on a "Hall of Fame" page. Please let me know if you would like to be acknowledged and, if so, under what name or handle. By default, you will not be mentioned if you do not provide explicit permission.

8. Policy Governance

This policy may be updated at any time. Please refer to the "Last Updated" date at the top of this document for the current version. For any questions regarding this policy, please contact security@andri.is.