1. Introduction and Scope

manueltgomes.com is operated by Skillful Sardine - Unipessoal Lda. We welcome security research on this site. This policy describes how to report vulnerabilities and what you can expect from us in return.

This document is the target of the Policy field in our RFC 9116 /.well-known/security.txt file.

2. How to Report a Vulnerability

Send reports by email to security@skillfulsardine.com. Please include:

  • A clear description of the vulnerability
  • Steps to reproduce, including any required payloads or proof-of-concept code
  • The affected URL, endpoint, or component
  • Potential impact (what an attacker could achieve)
  • Your contact details so we can coordinate disclosure

Please do not file reports in public issue trackers, social media, or other public channels before we have had a chance to respond.

3. In-Scope

The following are within scope of this policy:

  • manueltgomes.com (blog content, comments, subscription flows)
  • Public APIs served from the manueltgomes.com hostname
  • Authentication, session, and CSRF handling
  • Server-side injection (SQL, command, template, etc.)
  • Stored or reflected cross-site scripting (XSS)
  • Insecure direct object references and authorisation flaws
  • Sensitive data exposure

4. Out-of-Scope

The following are explicitly out of scope and will not be treated as eligible reports:

  • Denial-of-service attacks, rate-limit bypasses that require sustained traffic, or any test that would degrade the service for other visitors
  • Social engineering of Skillful Sardine staff, contractors, or readers
  • Physical attacks against offices or personnel
  • Attacks against third-party services we integrate with (comments, analytics, CDN) — report those to the relevant vendor
  • Findings that require physical access to a user's unlocked device
  • Missing "defence-in-depth" headers without a demonstrated exploitation path
  • Reports generated by automated scanners without manual validation
  • Publicly known CVEs in dependencies that have no working exploit against our deployment

5. Researcher Guidelines

We expect researchers to:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service interruption during testing
  • Stop testing as soon as they have enough information to report the finding
  • Not access, modify, or retain data that does not belong to them
  • Give us a reasonable amount of time to remediate before disclosing publicly (see §6)
  • Not attempt to pivot to other systems once a vulnerability is confirmed

6. Response Timeline

  • Acknowledgment: within 72 hours of receipt
  • Initial assessment: within 7 days
  • Status updates: at least every 14 days until the report is closed
  • Coordinated disclosure: we aim to remediate within 90 days of triage

7. Safe Harbor

When you follow this policy, we consider your research to be authorised conduct under relevant computer-crime statutes. We will not pursue legal action against researchers who act in good faith and within the guidelines above. We cannot waive claims held by third parties.

8. Rewards and Recognition

We do not operate a monetary bug bounty. With your permission, we are happy to credit validated reports on our Security Acknowledgments page.

9. Contact

Security reports: security@skillfulsardine.com
General legal enquiries: legal@skillfulsardine.com