Vulnerability Disclosure Policy

I work in offensive security myself, so I highly encourage you to poke around my infrastructure. If you find a way to break in or bypass my controls, I want to hear about it. Let's keep it safe, ethical, and collaborative.

Safe Harbor

If you conduct security research and vulnerability testing in good faith and in accordance with this policy, I consider your research to be authorized. I will not initiate legal action, file complaints with your ISP or hosting providers, or support any third-party legal action against you.

1. Scope

This policy applies to the primary domain and all subdomains under:

  • aldinsmajlovic.se & *.aldinsmajlovic.se

This explicitly includes:

  • aldinsmajlovic.se
  • blog.aldinsmajlovic.se
  • hub.aldinsmajlovic.se
  • status.aldinsmajlovic.se
  • ask.aldinsmajlovic.se
  • play.aldinsmajlovic.se

2. How to Report

Send all reports to security@aldinsmajlovic.se. I highly recommend encrypting sensitive details or proof-of-concepts using my PGP key (available at /pgp-key.txt).

To help me triage your report quickly, please use the following structure in your email:

**Title**: [Brief summary of the issue]
**Target**: [Specific subdomain or service URL]
**Description**: [What the vulnerability is and how it works]
**Steps to Reproduce**:
1. [Step 1]
2. [Step 2]
**Proof of Concept**: [Output, payloads, or links to secure screenshots]
**Impact**: [What an attacker could achieve with this vulnerability]

3. Rules of Engagement

Testing Guidelines:

  • Proof of Concept (PoC): To demonstrate access, only retrieve the minimum data required. For system access, outputting commands like whoami, id, or hostname is sufficient. Do not dump database tables, access private files, or exfiltrate private credentials.
  • Automated Discovery & Fuzzing: Most of the infrastructure is behind Cloudflare, and aggressive scanning will trigger automatic blocks. Automated content/directory discovery is permitted, but you must limit your tools to a rate of 20 requests per second with a maximum of 10 threads (e.g. using --rate 20 -t 10 in tools like Feroxbuster or FFuf).
  • Disclosure: Please allow a reasonable timeframe for remediation before publishing details.

Strictly Prohibited:

  • Lateral Movement: Pivoting, lateral movement, or attempting to access underlying infrastructure (hypervisors, routing equipment, or internal network segments) after achieving initial access is strictly prohibited. Stop at the container or VM level.
  • Denial of Service (DoS/DDoS) attacks that disrupt services.
  • Social engineering, phishing, or physical attacks against myself or users.
  • Credential brute-forcing (e.g. automated login guessing attacks) and endpoint spamming/fuzzing beyond the allowed rate limit threshold.

4. Third-Party Infrastructure Disclaimer

Do not target third-party services or infrastructure hosting these domains. Testing must be limited to my specific configurations, applications, and deployments.

5. Out of Scope & Low-Effort Submissions

Notice regarding automated scanners: Submissions consisting entirely of copy-pasted automated scanner output without a manual, verified proof-of-concept demonstrating direct business or security impact will be ignored.

The following vulnerabilities and findings are explicitly out of scope and will not be triaged:

  • Missing HTTP security headers (e.g. CSP, X-Frame-Options, HSTS) without a working exploit proof-of-concept.
  • Missing SPF, DKIM, or DMARC records (unless it leads to a direct domain takeover).
  • SSL/TLS best practices (e.g. cipher suites, certificate pinning) that do not directly expose traffic.
  • Cookie flags (e.g. HttpOnly, Secure) on non-sensitive session handlers.
  • Clickjacking on unauthenticated public-facing pages.
  • Software version disclosure or verbose error messages.

6. Service Level Agreement (SLA)

I respect your time and efforts. I commit to the following response timeline:

  • Acknowledgment: Best effort within 3 business days of report submission.
  • Triage & Remediation: Regular updates on the fixing progress until resolved.

7. Recognition, Resumes & Write-ups

  • I cannot offer financial compensation (bug bounties).
  • Ethical and valid reports will be credited on my public Hall of Fame.
  • Write-ups & Resumes: Once a vulnerability has been fixed, you are fully authorized to write blog posts, document it on your resume, or share it on LinkedIn. If you wish, I will review your write-up beforehand and cross-promote it to my professional network.

Happy hacking!