Last updated: 2025-08-24
1. Purpose
We are committed to keeping our systems and data secure. This policy outlines how security researchers can report vulnerabilities to us safely, and how we will handle those reports.
2. Scope
This policy applies to:
- All public‑facing services under the
tschaikas-barsois.dedomain. - Any associated APIs, subdomains, and infrastructure we operate.
3. Reporting a Vulnerability
Please send reports to [email protected] or use our secure contact form.
If possible, encrypt your message with our PGP key.
Your report should include:
- A clear description of the vulnerability.
- Steps to reproduce (proof‑of‑concept code, screenshots, or logs).
- Potential impact and any suggested mitigations.
4. Guidelines for Researchers
We ask that you:
- Act in good faith and avoid privacy violations, data destruction, or service disruption.
- Limit testing to what is necessary to demonstrate the vulnerability.
- Do not access, modify, or delete data that is not your own.
- Respect applicable laws.
We will not pursue legal action against researchers who follow this policy.
5. Our Commitment
When you report a vulnerability:
- We will acknowledge receipt within 3 business days.
- We will provide status updates at least every 14 days until resolution.
- We will work with you to understand and remediate the issue promptly.
- We will credit you publicly (if desired) on our Acknowledgments page.
6. Disclosure Timeline
We aim to resolve and publicly disclose vulnerabilities within 90 days of initial report, unless:
- A shorter timeline is mutually agreed upon.
- The vulnerability is actively exploited (in which case we may accelerate disclosure).
7. Out of Scope
The following are generally out of scope:
- Denial‑of‑service attacks.
- Spam or social engineering.
- Physical attacks on facilities.
- Vulnerabilities in third‑party services not under our control.
