$ cat /etc/security-policy.txt

// SECURITY

RESPONSIBLE DISCLOSURE

SCOPE

This policy covers aarondavidge.com and all of its subdomains and branches, including but not limited to store.aarondavidge.com, blog.aarondavidge.com, and assistant.aarondavidge.com, along with any services, APIs, or infrastructure operated under them.

NO AUTHORIZATION IS GRANTED

I DO NOT consent to and DO NOT authorize active vulnerability scanning, automated fuzzing or enumeration, exploitation of any vulnerability, denial-of-service testing, social engineering, or any other form of active security research against the systems in scope. There is no bug bounty program, and nothing on this site constitutes an invitation to test it. Unauthorized testing may violate applicable law, and this policy does not provide safe harbor for it.

IF YOU FIND SOMETHING ANYWAY

If, despite the above, you happen to stumble across a vulnerability — the rule is simple: don't be a dick. That means:

Report it promptly and privately to bugs@aarondavidge.com with enough detail to reproduce it. Do not access, modify, delete, or exfiltrate data beyond the absolute minimum needed to demonstrate the issue. Do not degrade or disrupt any service. Do not publicly disclose the issue before I've had a reasonable opportunity to fix it. Do not demand payment in exchange for the report.

WHAT YOU CAN EXPECT FROM ME

Good-faith reports that follow the rules above get a good-faith response: I'll acknowledge your report as quickly as I can (typically within 72 hours), keep you informed while I investigate and fix the issue, and credit you for the find if you'd like — no hall of fame, no bounty, just honest thanks from one builder to another.

MACHINE-READABLE VERSION

This policy is also published at /.well-known/security.txt per RFC 9116.

LAST UPDATED: 2026-07-12 · CONTACT: bugs@aarondavidge.com