VULNERABILITY DISCLOSURE POLICY

Version 1.0 // Last Updated: 09.09.2025

1. Commitment to Security

Andri.is is committed to the security of my services and data. I value the contributions of the independent security research community in helping me maintain a secure environment. If you believe you have discovered a security vulnerability, I encourage you to report it to me responsibly and in accordance with this policy.

2. Authorization and Safe Harbor

I consider security research and vulnerability disclosure activities conducted in accordance with this policy to be "authorized" conduct. I will not pursue civil or criminal action, or notify law enforcement, for accidental or good-faith violations of this policy. I waive any potential claims against you for circumventing technological measures used to protect the systems in scope of this policy. If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, I will make this authorization known.

3. Scope

In-Scope Systems:

  • https://andri.is
  • Any subdomains of andri.is (e.g., *.andri.is)

Out-of-Scope Systems:

Any third-party systems or services used by Andri.is (e.g., hosting provider infrastructure, external APIs, integrated SaaS platforms). Vulnerabilities discovered in these systems should be reported to the respective vendor according to their disclosure policy.

Out-of-Scope Vulnerabilities:

  • Reports from automated scanners without manual proof-of-concept (Exception for Aftra)
  • Denial of Service (DoS) or DDoS attacks
  • Missing security best practices without demonstrated exploitable vulnerability
  • Self-XSS that cannot attack other users
  • Clickjacking on pages with no sensitive actions
  • Spam or social engineering techniques
  • Publicly known CVEs public for less than 60 days

4. Rules of Engagement

You must not:

  • Engage in disruptive, damaging, or harmful activity to service performance or availability
  • View, access, modify, exfiltrate, or store data that does not belong to you
  • Perform social engineering (e.g., phishing) or physical attacks
  • Introduce malicious software or code

You must:

  • Notify me as soon as possible after discovering a security issue
  • Make good-faith effort to avoid privacy violations, data destruction, and service degradation
  • Stop testing and report immediately if you encounter sensitive or personal data
  • Use exploits only to the extent necessary to confirm a vulnerability

5. Reporting Process

How to Report:

Submit your findings via email to security@andri.is. For machine-readable discovery, refer to /.well-known/security.txt.

What to Include:

  • Detailed description of the vulnerability and its potential impact
  • Clear, step-by-step reproduction instructions including URLs or parameters
  • Proof-of-concept scripts, screenshots, or videos

Reports may be submitted anonymously.

6. Our Response Commitment

  • Acknowledgment within 3 business days
  • Confirmation and periodic updates on remediation progress
  • Reasonable time (90 days) before public disclosure

7. Recognition

I do not offer monetary rewards (bug bounties) for reported vulnerabilities. However, for valid reports submitted in accordance with this policy, I am happy to provide public recognition on a "Hall of Fame" page.

Security Researchers Hall of Fame

See the talented individuals who have helped improve our security

View Hall of Fame

8. Policy Governance

This policy may be updated at any time. Please refer to the "Last Updated" date at the top of this document. For questions, contact security@andri.is.