Responsible Disclosure Policy

Last updated: May 2026

Scope

This policy applies to trimarchimanuele.it and its subdomains.

In scope

• Cross-site scripting (XSS)
• Injection flaws
• Authentication and authorization issues
• Sensitive data exposure
• Security misconfiguration

Out of scope

• Denial-of-service attacks
• Social engineering
• Physical attacks
• Scanner output without a proof-of-concept
• Clickjacking without demonstrated practical impact

Reporting

Send your report to info [at] trimarchimanuele.it. If the content is sensitive, please encrypt it with my PGP key.

What to include

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Supporting material (screenshots, proof-of-concept)

Ground rules

• Do not access, modify, or delete data that is not yours
• Do not disrupt services
• Do not publicly disclose before a fix is released

Response

I will acknowledge your report within 7 days, work on a fix, and credit you on the acknowledgments page if you wish.

Safe harbour

Good-faith research conducted in accordance with this policy will not result in legal action.