Security Policy

Last review: 2026-04-27

This site (juandavidrivera.com) follows RFC 9116 for security disclosure. The machine-readable contact file is at /.well-known/security.txt.

Reporting a Vulnerability

• Email [email protected] (primary) or [email protected] (backup).
• Please include: a description of the issue and its potential impact, steps to reproduce (URLs, payloads, browser/device), and any logs or screenshots that help validate the report.
• If the issue is sensitive, request our PGP fingerprint in your first message and we will respond with the public key out of band.

Response Targets

• Acknowledgement: within 2 business days.
• Initial triage: within 5 business days.
• Critical issues affecting users in production are typically remediated within 72 hours.

Scope

In scope:

• The current production deploy of juandavidrivera.com and website-6uy.pages.dev (Cloudflare Pages).
• Any subdomain under juandavidrivera.com that we expose (e.g. preview deploys reachable from this site's links).

Out of scope:

• Findings on archived projects, third-party SaaS we link to, or non-production environments.
• Issues that require physical access to a user's device.
• Reports based solely on missing best-practice headers without an exploitable vulnerability — we welcome the heads-up but they are tracked as hardening work, not vulnerabilities.
• Reports that target Cloudflare's infrastructure itself (please report those to Cloudflare's HackerOne).

Safe Harbour

We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, destruction of data, or interruption of service.
• Only test against accounts they own, or have explicit permission to test.
• Give us a reasonable time to remediate before any public disclosure.

Coordinated Disclosure

Please do not publicly disclose an issue until we have had a chance to remediate. We will credit reporters in our acknowledgements upon request.

Resumen en español

Si encuentras una vulnerabilidad, escríbenos a [email protected]. Te confirmaremos la recepción en menos de 2 días laborables y haremos triage en menos de 5. Los problemas críticos en producción se mitigan en menos de 72 horas. Los reportes hechos de buena fe están protegidos por la cláusula de "safe harbour" anterior.