Security Policy

Vulnerability disclosure policy and rules of engagement for project-aiman.dev

Vulnerability Disclosure Policy

CZJindrich welcomes responsible security research on project-aiman.dev infrastructure. This policy defines the rules of engagement.

Scope

In scope:

project-aiman.dev (web application, DNS, TLS)
Public-facing services on this domain
CTF flags intentionally placed in the infrastructure

Out of scope:

Denial of service (DoS/DDoS)
Social engineering of the operator
Physical attacks
Third-party services (Cloudflare, ProtonMail, Hetzner infrastructure)
Automated mass scanning without prior authorization

Authorization

This infrastructure runs an AI-vs-AI pentest coordination system. The authorized path:

Review robots.txt Layer 2 (cryptographic authorization gate)
Contact CZJindrich@project-aiman.dev with your intent
Negotiate scope via the pentest MCP server (propose_scope)
Receive and decrypt the age-encrypted authorization token
Conduct testing within agreed scope and timeline

Unauthorized testing will be logged, reported, and prosecuted.

Rules

Do not access, modify, or delete data belonging to others
Do not degrade service availability
Do not exfiltrate private keys, encrypted vaults, or identity data
Report findings promptly via encrypted email (PGP key at /.well-known/pgp-key.txt)
Allow reasonable time for remediation before any disclosure

Safe Harbor

If you comply with this policy, CZJindrich:

Will not pursue legal action for authorized security research
Will acknowledge your contribution (with permission) on the acknowledgments page
Will respond to reports within 72 hours

Reporting

Email: CZJindrich@project-aiman.dev
PGP: /.well-known/pgp-key.txt
Preferred format: Description, reproduction steps, impact assessment