Security Policy | Rasoul Unlimited

Content Security Policy (CSP)

The following sample Content Security Policy is currently enforced for this domain via Cloudflare. It may be updated as security requirements evolve, following the principles of least privilege and defense-in-depth:

default-src 'self' blob:;
script-src 'self' https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://static.cloudflareinsights.com https://giscus.app 'nonce-RasoulCSP';
style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net 'nonce-RasoulCSP';
style-src-attr 'self' 'nonce-RasoulCSP';
style-src-elem 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://giscus.app;
font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com;
img-src 'self' data: https://avatars.githubusercontent.com;
connect-src 'self' https://static.cloudflareinsights.com https://giscus.app https://api.github.com https://orcid.org https://about.me https://www.researchgate.net https://www.linkedin.com https://github.com;
frame-src https://giscus.app;
object-src 'none';
base-uri 'self';
form-action https://formspree.io 'self';
frame-ancestors 'self';

Note: only strictly necessary origins are whitelisted. Any new dependency is reviewed for security impact before being added to this policy.

Reporting Security Issues

If you discover a security issue, please do not publicly disclose it before giving a reasonable opportunity to investigate and remediate. Use one of the following channels:

1. Collect technical details and reproduction steps
2. Confirm that your testing is within the allowed scope
3. Submit a report using one of the official contacts below

Email: [email protected]

GitHub: Open a security issue on GitHub

To help triage and fix issues quickly, please include:

• Short description and precise location of the issue
• Exact steps to reproduce (step-by-step)
• A minimal, non-destructive proof-of-concept (PoC), if available
• Environment details (browser, OS, version, etc.)
• Estimated impact or severity
• Contact details for follow-up (email or handle)
• Links, logs or screenshots that make the issue easier to understand

Please refrain from publishing PoC code or technical details that could enable abuse until the issue has been resolved.

Secure Communication

For sensitive reports (for example PoCs containing real data or logs), end-to-end encryption using my PGP public key is recommended.

• The key is available on Keybase.
• Download the PGP public key
• Verify this fingerprint before use: D483 4991 882E 7EC4 4187 40AC 1CAF 52B8 DB95 F6FE
• After importing the key, encrypt your message and send it to [email protected]

Authorized Testing Scope

To respect third-party providers and infrastructure, authorized security testing under this policy is limited to the following domains:

• rasoulunlimited.ir
• www.rasoulunlimited.ir

Services, subdomains or infrastructure not directly controlled by Rasoul Unlimited (including hosting providers, payment gateways and other linked platforms) are out of scope and must only be tested under the respective provider’s own terms and policies.

Examples of out-of-scope activities:

• Direct penetration testing against Cloudflare or GitHub infrastructure
• Targeting third-party services that are merely linked from this site
• Any form of denial-of-service (DoS / DDoS) attack on any component

Responsible Disclosure & Mutual Commitments

• In normal circumstances, reports are acknowledged within 48 hours.
• Depending on impact and complexity, remediation or mitigation plans are usually communicated within 30 days, with urgent issues prioritized.
• If you wish, your name or handle (e.g., GitHub or X/Twitter) can be included in a public list of security acknowledgments, unless you prefer to remain anonymous.
• The canonical, machine-readable policy is also published at security.txt.

Informal safe-harbor note: as long as your security testing is conducted in good faith, within this policy’s scope, without exploiting data or causing harm, the intent is to work with you constructively rather than pursue legal action. This statement is not legal advice and may be refined in future versions of the policy.

Practical Testing Guidelines

To avoid unintended disruption or damage during testing, please follow these guidelines:

• Use non-destructive techniques and avoid modifying or deleting real data.
• Do not perform DoS / DDoS attacks, resource-exhaustion tests or excessive traffic generation.
• Avoid social engineering, phishing or targeted attacks against individual accounts.
• Do not attempt to bypass authentication or authorization mechanisms of third-party services out of scope.
• Where possible, clean up any test data created during your assessment.

You are solely responsible for ensuring that your activities comply with all applicable laws and regulations. By submitting a report, you confirm that your testing was lawful and within this policy’s scope.

Security Timeline

The security timeline highlights key milestones and changes for this website, giving researchers and advanced users a transparent view of its security evolution.

No events matched your search.

Security Advisories

The latest security notices and advisories for this project are published via GitHub Security Advisories. Security researchers are encouraged to review this section before starting new assessments.

Navigation

Return to homepage

View Persian version

Last updated:

This page uses local caching and will notify you if you go offline.