Teogor
teogor.com

Security & Trust

How to report vulnerabilities, verify my identity, and securely contact me regarding any security concern across teogor.com or any of my open source projects.

Last updated: May 1, 2026

Report a Vulnerability

Email [email protected] with subject [SECURITY]

GPG / PGP Key

Encrypt email reports or verify my identity

GitHub Advisories ↗

View or report via GitHub Security Advisories

Scope

The following are in scope for security reports:

teogor.com (this website)In scope
Ceres — Android frameworkIn scope
Winds — Gradle pluginIn scope
Sudoklify — KMP libraryIn scope
All other published OSS librariesIn scope
Third-party dependenciesOut of scope
GitHub infrastructureOut of scope
Maven Central infrastructureOut of scope

Responsible Disclosure Policy

1

Report privately

Email [email protected] with [SECURITY] in the subject. Include steps to reproduce, impact, and any suggested fix. Encrypt with my GPG key for sensitive findings.

2

Acknowledgement

I will acknowledge receipt within 48 hours and provide an initial assessment of the severity and impact.

3

Remediation

I will work on a fix and keep you updated on progress. For critical issues I aim to patch within 7 days, others within 30 days.

4

Coordinated disclosure

Once fixed, I will coordinate with you on a public disclosure date. You will be credited unless you prefer to remain anonymous.

Response Timeline

48h

Acknowledgement

Initial response confirming receipt of your report

7 days

Critical patches

For CVSS ≥ 9.0 vulnerabilities with active exploitation risk

30 days

Standard patches

For most other valid vulnerability reports

Signed Commits

All commits to my repositories are GPG-signed. GitHub displays a Verified badge on each signed commit. You can verify the signature against my public key below.

View @teogor on GitHub ↗

GPG Public Key

Use this key to encrypt sensitive vulnerability reports sent to [email protected], or to verify signatures on releases and commits.

Key ID0xC9B9DE932E72D1CE·AlgorithmRSA 4096·Email[email protected]FingerprintABA9 0C8C 36A6 7FB4 2DBF 00C3 C9B9 DE93 2E72 D1CE
PUBLIC KEY BLOCK
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGnzhOcBEAC/MyK4BJoXpG5nTSSbpy0IVngujMiVICh4QNIrDkfVbuqIgPhj
ISi+P8fBAUvrSOlS7rP1+3koW/Ist16L0wdY2wdJLMni4vGID8ACuExkCJBfZEKb
zoyMgycHY313AS88fDORKd7KfKUpdHT1dZ2k81Od6WrzcU7QcbXGufS9suA/LT2i
G5Rojhvxf5gelM9xAaCt5nmgUGuePyA/wdNqZEg+UqaHzrVLmHDuhc5+BeWso3ur
IdaCuprRmR6QuHB87gNAZMz0LW2Zw4vXlPPUCqrb0B5afdowP0WlV4WoDRewybtS
6lZDBTFuh9bQZQDHztQAe1uBWCSSxw4kis2vxWn7t4Zictjui6ikh2ndI/SMz6dw
yMbfSlMpwyoo3SUk3cu3ylAyYJiyeiSFK0QT7yO8WkXdUH6T/BcLSg+RLPlflt7i
6Lu52lLeVfvfvSEq3dKiQ48fatbl9tp7qmsFZm2NdGRb09UR3qrcK070ZuCfZs0n
YXUf+3XjM/TAQ+AIAJw816hLMuZ5O3bjrOp/s8nZ4k4hcOuzU4j8ngbeekavu5sH
/6vJNjF9iESgCf9vBqOPH70NkGihj+QSC1ZbcnasMTSute5wFRJ34/0e/NpSgI+u
WQoJiA/ZdkfC29lZa36PTPW3NnJUxORncrq82UJWug0YI0nN57nOilz7IwARAQAB
tCZUZW9kb3IgR3JpZ29yIDxvcGVuLXNvdXJjZUB0ZW9nb3IuZGV2PokCbgQTAQgA
WBYhBKupDIw2pn+0Lb8Aw8m53pMuctHOBQJp84TnGxSAAAAAAAQADm1hbnUyLDIu
NSsxLjEyLDAsMwMbLwQFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQybne
ky5y0c6big//Q86P2KavMx4zMwaxDgcJS0uKeqTkRZl25SW2zUUt3x2Fg6ypId1I
XJiieduuZZD8tRA5Gr3V71sdUKKc+3DJMvKu+54KAF0LvDnjwt5kV42qtGxQVIDO
wNoTcSx8w2VTnlsHPxI32tV7rC2XVbRSTnxzrfUXDxNC1iyLVeMj0tY1XNp96zdi
oVo1lZQmxCE05Ydj25YB42x2HZ5j5nqwAlBW+LrhIqurreUFiQkNDGfZLPiBVWpz
iktUr/WwfdKfv/xjglzGZHTKiYDpBhFdZi9+ZyQMf+QqlxHbuEmprDlZH449l3E7
8C7KFFFQiXwRf9d+A4rIjtpWDjdwLqRR7s8anUYhyo2xr3R+QH7dI9v5ZhMIpa4E
b9agi8KIlc1oNOav8F6AdbOVWv79r3WPLyVO4qo4zYe032FRIm9NDmy0FLTV7+Km
6g7N/HpxoFNA6+gpVjVnWTHAw4402j0gO6WkC6fksvk3woCQQPbiU683MiR3VwUL
ro3iH43b7X9wdrJz4I2l4zjnGvHD3bxUYOk7q9pML6KLmOS3nuorMvpziWg+DE+E
qSKa5/dTxlLFB+IpI63p1HiJoVYhSnzUQjwWeuWQ5jhzM48FUQvETXl8o7/YnbN4
S08pQgEH7jqCjXvtHwPTOOf/XLAzjRIUfnQ9KB2b7Zwe9QS4LX7APH0=
=itf9
-----END PGP PUBLIC KEY BLOCK-----

To import: gpg --fetch-keys https://teogor.com/teogor.asc

Verifying Release Artifacts

Maven artifacts published to Maven Central from my repositories include signature files (.asc). You can verify any artifact against my GPG key.

Verify an artifact signature
# Import key directly from teogor.com
gpg --fetch-keys https://teogor.com/teogor.asc

# Or via keyserver
gpg --keyserver keys.openpgp.org --recv-keys C9B9DE932E72D1CE

# Verify a Maven artifact (.jar + .jar.asc in the same directory)
gpg --verify artifact.jar.asc artifact.jar

Security Contact

Found a vulnerability?

Please do not open a public GitHub issue for security vulnerabilities. Email me directly at [email protected] with [SECURITY] in the subject line. You may encrypt your report using my GPG key above.

Report securely