Matéo Florian Callec
mateocallec.com
M. F. CALLEC
// Vulnerability disclosure policy

Vulnerability Disclosure Policy

Scope

This vulnerability disclosure policy applies to:

  • This website (mateocallec.com);
  • Public open-source projects maintained or authored by Matéo Florian Callec;
  • Research outputs, tools, and other technical work explicitly referenced on this website.

Reporting Security Vulnerabilities

If you believe you have discovered a security vulnerability within any in-scope system, please report it responsibly via:

Email: [email protected]

Please include as much detail as possible, such as:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any proof-of-concept code or screenshots (if applicable)

Responsible Disclosure Expectations

Security researchers are expected to:

  • Avoid accessing, modifying, or deleting user data
  • Do not disrupt service availability (e.g., DoS testing)
  • Do not publicly disclose the vulnerability before it has been addressed or acknowledged
  • Make a good faith effort to avoid privacy violations or data exposure

Acknowledgements

Security researchers who responsibly disclose valid vulnerabilities may be credited at the discretion of the publisher. Recognition may be granted in one or more of the following places:

  • The public acknowledgements page: /acknowledgments
  • Relevant project repository (e.g. GitHub README or changelog)
  • Associated document or publication where applicable

Attribution is not guaranteed and may be modified, delayed, or removed at any time. The publisher reserves full discretion to refuse attribution or to remove a name from acknowledgements at any point, without obligation to justify the decision.

Response Timeline

Acknowledgment of valid vulnerability reports is typically provided within a reasonable timeframe. Further communication will depend on the severity and complexity of the issue.

Fixes or mitigations will be prioritized based on risk assessment.

Safe Harbor

If you follow this policy in good faith, the publisher will not initiate legal action against you for security research activities that are consistent with responsible disclosure practices.

Out of Scope

The following are generally considered out of scope:

  • Third-party services not controlled by the publisher
  • Social engineering attacks
  • Physical security issues
  • Automated scanner reports without demonstrable impact

Public Disclosure

Coordinated disclosure is preferred. Public disclosure should only occur after a fix has been deployed or explicit permission has been granted.

Policy Updates

This policy may be updated at any time without prior notice to adapt to evolving security practices and project requirements.