This site is best experienced on a laptop or desktop.

Security Policy

I take the security of this site seriously. If you have discovered a vulnerability, I appreciate you letting me know responsibly.

This page covers this website. For my software and hardware projects, each repository's own security policy applies where it has one, and the shared general policy lives alongside this page in the repository below.

Also on GitHub: zaccesss/security-policy

In scope

This policy covers isaacadjei.me and all its subdomains. Examples of issues that are in scope:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication or authorisation bypass
  • Sensitive data exposure
  • Server-side injection vulnerabilities

Out of scope

The following are explicitly out of scope and should not be reported:

  • Vulnerabilities in third-party services I do not control (Vercel, Cloudflare, Beehiiv, GitHub, Resend, Upstash)
  • Denial of service attacks or volumetric testing of any kind
  • Social engineering or phishing attempts targeting me or visitors
  • Issues that require physical access to my devices
  • Missing security headers that do not present a practical exploit path
  • Reports generated by automated scanners without manual validation

How to report

Send vulnerability reports by email to [email protected] with the subject line Security Disclosure. If email is not convenient, you can also use the contact page - note that the contact form does not support attachments, so paste any supporting material inline.

Please include the following in your report:

  • The affected URL or component
  • Your browser, device and operating system (where relevant)
  • Step-by-step instructions to reproduce the issue
  • What you expected to happen versus what actually happened
  • Screenshots, screen recordings or proof-of-concept code if available

Please do not publicly disclose the issue until I have had a reasonable opportunity to investigate and address it.

Response timeline

I aim to respond to all reports within the following timeframes:

  • Initial acknowledgement within 3 business days
  • Assessment and triage within 7 business days
  • Resolution or mitigation plan within 30 days for valid issues

Good faith

I will not take legal action against researchers who act in good faith, follow this policy and do not access, modify or delete data beyond what is needed to demonstrate the vulnerability. Valid reporters will be acknowledged on the Hall of Fame.