Security Policy

Last update: 2025-09-26; Previous: 2018-02-19

This is just a personal site. No budget for security bounties or such. So if you find a problem, please let me know; if we meet, I might buy you a beer. As it's just a personal site, I can't offer much more.

Reporting 'issues' when they can clearly be recognized as intentional for public functionality will be seen as wasting time. Enumerating users is _not_ a vulnerability on a single user site, especially if it's even exposed in a sitemap.

Contact information in .well-known/security.txt.

-- Ivan

Known Conditions

WordPress User Enumeration / wp-user-enum / 'CVE-2017-5487'

Added: 2025-09-26

Determination: invalid

Any report regarding 'WordPress User Enumeration' vulnerability, involving URLs such as:

https://blog DOT vucica DOT net SLASH ?author=1
https://blog DOT vucica DOT net SLASH wp-json SLASH wp SLASH v2 SLASH users SLASH

or similar will be treated as malicious due to wasting time.

Revealing valid accounts is working as expected. Disabling fetching user profiles risks breaking ActivityPub integration as it risks breaking WebFinger or ActivityPub object fetch. Do not report this.

While disabling at least wp-json seems like a good idea at first, especially unauthenticated one, doing so breaks critical federation functionality.

Halcyon UI exposes lighttpd.conf

Added: 2025-09-26

Determination: invalid

There's nothing confidential or secret in there. Halcyon is a public open source third-party project. This file ships with Halcyon itself and is part of its source code already. Lighttpd is not used on this machine. Do not report this as a vulnerability or information leak, since it is not one.