DISCLOSURE.

If you find a security issue, I want to hear about it. Fast, private, and with credit if you want it.

▸ IN SCOPE

andri.is and all *.andri.is subdomains

Any public repo under github.com/AndriGitDev

Apps I actively run (ask if unsure)

▸ OUT OF SCOPE

— Third-party SaaS I happen to use

— Social engineering, physical attacks

— DoS / volumetric testing

— Automated scanner output without PoC (exception: Aftra tooling)

▸ RESPONSE SLA

72 hours

Acknowledgement

Ongoing

Triage, severity, and periodic status updates

90 days

Reasonable time before public disclosure

On fix

Credit in the Hall of Fame (if you want it)

▸ REPORT A VULNERABILITY

Private, fast, and credited — send details and I'll acknowledge within 72 hours.

PGP key available on request · /.well-known/security.txt

▸ YOU MUST

✓ Notify me as soon as you discover an issue

✓ Make a good-faith effort to avoid privacy violations

✓ Stop and report immediately if you touch sensitive data

✓ Use exploits only as far as needed to confirm the vuln

▸ YOU MUST NOT

✗ Disrupt, damage, or degrade service availability

✗ Access, modify, or exfiltrate data that isn't yours

✗ Phishing, physical attacks, or social engineering

✗ Introduce malicious software or code

▸ RECOGNITION

No monetary bounty — but for valid reports you get permanent credit on the Hall of Fame, a spot in commit history, and my genuine thanks.

Version · 1.0

Updated · 2025-09-09

Machine-readable · security.txt