Security Policy (Vulnerability Disclosure)

LAST UPDATED January 01, 2026

I regard security as a continuous process of analysis and hardening, which is why I have implemented the RFC 9116 standard.

1. Security.txt

My machine-readable policy and PGP signature are located at: https://tizianogasparet.com/.well-known/security.txt

2. Reporting Procedure

If you identify a vulnerability in my OpenBSD stack:

  1. Encryption: Download my public key from https://tizianogasparet.com/public_key.asc.
  2. Report: Prepare a detailed Proof of Concept.
  3. Submission: Send it exclusively to security@tizianogasparet.com.
  4. Grace Period: I ask for 72 hours to acknowledge and begin mitigation before any public disclosure.

Tiziano Gasparet