Security Policy
This document outlines the security vulnerability disclosure policy for sdburt.com, a personal portfolio website built with Astro and deployed on Vercel.
Scope
This security policy applies to:
- Primary domain: www.sdburt.com
- Subdomains: Any official subdomains of sdburt.com
- Source code: Public repositories related to this website
In Scope Vulnerabilities
We are interested in receiving reports about the following types of vulnerabilities:
- Cross-Site Scripting (XSS) - Stored, reflected, or DOM-based XSS vulnerabilities
- Content Security Policy (CSP) Bypass - Methods to bypass our CSP implementation
- Cross-Site Request Forgery (CSRF) - Though unlikely given our static nature
- Information Disclosure - Exposure of sensitive information or system details
- Security Header Bypass - Methods to bypass security headers
- Clickjacking - Frame-based attacks despite X-Frame-Options
- Content Injection - Injection of malicious content into pages
Out of Scope
The following are explicitly out of scope for this security policy:
- Social Engineering - Attacks targeting individuals rather than systems
- Physical Security - Physical access to systems or infrastructure
- Denial of Service (DoS/DDoS) - Attacks aimed at disrupting service availability
- Brute Force Attacks - There are no login systems to attack
- Rate Limiting - No user-generated content or forms to rate limit
- Email Security - Email systems are managed by third-party providers
- Third-Party Services - Vulnerabilities in Vercel, GitHub, or other external services
- Self-XSS - Vulnerabilities requiring user to attack themselves
- Missing Security Headers - Unless you can demonstrate actual exploitation
- Theoretical Vulnerabilities - Issues without practical exploitation paths
Responsible Disclosure
If you discover a security vulnerability, please follow these guidelines:
- Do not access, modify, or delete data belonging to others
- Do not perform actions that could harm the availability of the service
- Do not access or attempt to access accounts or data you don't own
- Do not publicly disclose the vulnerability before it has been resolved
- Do provide detailed steps to reproduce the vulnerability
- Do include proof-of-concept code or screenshots when helpful
- Do be patient while we investigate and resolve the issue
Reporting Process
To report a security vulnerability:
- Email: Send detailed information to seandburt@gmail.com
- Subject Line: Use "Security Vulnerability Report" as the subject
- Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested remediation (if known)
- Your contact information
Response Timeline
We commit to the following response timeline:
- Initial Response: Within 48 hours of receipt
- Triage: Within 72 hours of receipt
- Status Updates: Every 7 days until resolution
- Resolution: Varies based on severity and complexity
Recognition
Researchers who responsibly disclose valid security vulnerabilities will be recognized on our Security Acknowledgments page, unless they prefer to remain anonymous.
Legal Safe Harbor
We support responsible security research and will not pursue legal action against researchers who:
- Follow this responsible disclosure policy
- Act in good faith and avoid privacy violations
- Do not perform actions that could harm our service or users
- Report vulnerabilities promptly and confidentially
Contact Information
For security-related inquiries, please contact:
- Email: seandburt@gmail.com
- Response Time: 48 hours maximum
- Languages: English
Last Updated: January 6, 2025
Version: 1.0