Security Policy

Contact

Please report suspected vulnerabilities by email at hello@toosign.me. Include enough detail to reproduce the issue, affected URLs, and any relevant proof of concept.

Scope

• https://toosign.me and pages served from this blog.
• Public routes, APIs, and static files maintained in this repository.
• Issues that could affect confidentiality, integrity, or availability.

Out of Scope

• Third-party services and platforms not operated by this site.
• files.toosign.me and externally hosted files.
• Social accounts, email provider infrastructure, and physical security issues.

Report Details

• Affected URL or endpoint.
• Vulnerability type and expected impact.
• Steps to reproduce the issue.
• Screenshots or a minimal proof of concept, if available.

Testing Guidelines

• Do not access, modify, or delete data that is not yours.
• Do not perform denial-of-service, spam, or social engineering tests.
• Do not run automated high-volume scans.
• Do not attempt credential stuffing, brute force, or account takeover tests.
• Do not exfiltrate, persist, or publicly share data.
• Give reasonable time to review and resolve the report before public disclosure.

Review Process

Valid reports are reviewed as time allows. I try to acknowledge actionable reports within 7 days, and resolution time may vary depending on severity and scope.

Reports made in good faith and within this policy will not be treated as malicious activity.