Vulnerability Disclosure Policy
Last updated: June 29, 2026
I value the work of security researchers who help keep
geison.dev and my projects safe. This page explains how to
report a vulnerability responsibly.
How to report
Email your findings to security@geison.dev.
Where possible, please include:
- A clear description of the issue and its potential impact;
- Steps to reproduce (proof of concept, requests, screenshots);
- The affected URLs, parameters, or components;
- How you'd like to be credited (or if you prefer to stay anonymous).
What you can expect from me
- I acknowledge reports within 3 business days;
- I keep you updated on remediation progress;
- I won't pursue legal action for good-faith research that follows this
policy (safe harbor);
- With your permission, I'll credit you on the
acknowledgments page.
Guidelines (please do)
- Give me reasonable time to fix the issue before any public disclosure;
- Only test against accounts and data you own;
- Stop as soon as you encounter third-party data, and let me know.
Out of scope (please don't)
- Denial-of-service (DoS/DDoS) or load testing;
- Social engineering or phishing;
- Accessing, modifying, or exfiltrating third-party data;
- Spam, mass brute-forcing, or service degradation.
Referenced by the Policy field of my
security.txt (RFC 9116).