We take security seriously and appreciate responsible disclosures. This page describes how to report security issues for services operated under this domain and what you can expect from us.

1 Contact

Please report vulnerabilities by email:

• Primary developer: security@tsandrini.sh (main dev, IT infrastructure)
• Company primary: security@pesekmudra.cz
• Fallback: info@pesekmudra.cz

If you need encrypted communication, see the Encryption section below.

2 Scope

This policy applies to publicly reachable services and applications operated under our domains, including (but not limited to):

• Web apps hosted under our primary domain(s): pesekmudra.cz, pesekmudra-zpravy.cz
• APIs and supporting services exposed to the internet
• Authentication pages, dashboards, and reverse-proxied services

If you’re unsure whether something is in scope, send a report anyway and we’ll tell you.

3 Out of scope

The following are generally out of scope (unless you can demonstrate real impact in our environment):

• Issues requiring physical access or social engineering (phishing, vishing, etc.)
• Denial of Service (DoS) / volumetric traffic attacks
• Rate-limit / brute-force findings without a clear bypass
• “Missing best practices” with no exploit path (e.g. clickjacking where pages are already protected, generic headers, etc.)
• Vulnerabilities affecting only outdated browsers or non-default client configurations
• Findings exclusively in third-party services not operated by us

4 Safe harbor

We consider good-faith security research to be authorized under this policy.

If you:

• Make a good-faith effort to avoid privacy violations, destruction of data, and service disruption
• Only access data necessary to demonstrate the issue (don’t exfiltrate or persist data)
• Stop testing once you’ve confirmed impact
• Give us a reasonable opportunity to remediate before public disclosure

…then we will not initiate legal action against you for accidental, good-faith violations of this policy.

5 Testing guidelines

Please:

• Do not run automated scans that significantly degrade service availability.
• Do not access or modify other users’ data.
• Do not attempt persistence (backdoors, credential harvesting, malware).
• Keep the impact minimal and reversible.
• Prefer test accounts you control; if you need one, ask.

If the vulnerability involves sensitive data, include only redacted samples in the report (or describe the evidence without attaching it). If you have to share proof, do it carefully and minimize exposure.

6 What to include in a report

A great report includes:

• A clear summary and affected hostnames / endpoints
• Reproduction steps (ideally copy-paste-able)
• Expected vs. actual behavior
• Impact assessment (what an attacker can do)
• Any relevant logs, request/response snippets (redacted), screenshots
• Suggested fix or mitigation (optional but appreciated)

If you have a CVE request or want coordinated disclosure, mention it explicitly.

7 Response and remediation timeline

We aim for:

• Acknowledgement: within 3 business days
• Initial triage: within 7 business days
• Status updates: at least every 14 days for confirmed issues
• Fix target: depends on severity and complexity

Severity rough guide:

• Critical: remote code execution, auth bypass, high-impact data exposure
• High: privilege escalation, sensitive data access, serious SSRF, stored XSS in privileged contexts
• Medium: reflected XSS with limitations, CSRF with real state change, info leaks with meaningful impact
• Low: minor hardening issues with limited or no impact

8 Disclosure

We support coordinated disclosure. If you plan to publish a write-up:

• Please coordinate timing with us
• We may ask for a short delay if a fix needs rollout time
• If you want credit, we’re happy to add you to our Hall of Fame

9 Hall of Fame

If you’d like to be credited, include:

• Your preferred name/handle
• A link (optional)
• Whether we may mention the affected product/service

If you prefer anonymity, we’ll list you as “Anonymous”.

10 Rewards / bounties

At this time, we do not offer monetary rewards.

11 Encryption

If you want encrypted communication, you can request an encryption method in your email (PGP, age, etc.). We will provide keys or a preferred mechanism on request.

Our main developer t@tsandrini.sh provides their keys both at http://tsandrini.sh/tsandrini.gpg and https://keybase.io/tsandrini

12 Legal / responsible use

This policy does not grant permission to:

• Access data beyond what is necessary to demonstrate impact
• Persist access, implant malware, or use obtained data for any purpose
• Disrupt services intentionally

When in doubt, ask first — we’re friendly.