Skip to main content
at UCF
IRSA AidSign in
Security

Responsible disclosure.

If you’ve found a vulnerability in irsa.info, the IRSA Aid pipeline, or any other surface we run, please tell us directly. We’re a small nonprofit team, but security reports take priority over every other queue.

How to report

  1. Email [email protected] with a clear repro and the impact you observed. PGP not required (we don’t publish a key yet), but you may split details across messages if you prefer.
  2. We confirm receipt within 48 hours. If you don’t hear from us in that window, please also drop a note at [email protected] in case the security inbox is queueing.
  3. We’ll keep you posted on the fix timeline. Critical issues are typically out the door within 24-72 hours of confirmation; lower-severity within two weeks.
  4. Public disclosure happens after the fix is live, with credit to you (your handle, your name, or anonymous — your choice).

In scope

  • irsa.info (this site), including the editorial blog, IRSA Aid pipeline, apply flow, /account dashboard, and /dashboard ops console.
  • app.irsa.info (the mail subdomain hosting our Postfix sidecar).
  • Our API surface (/api/*) including authentication, aid endpoints, the bell + email notification rail.

Out of scope

  • UCF’s own systems (ucf.edu, knights.ucf.edu, etc.). We’re a registered student organization, not the university — please report those issues to UCF Information Security.
  • Third-party vendors we use (Stripe, Resend, Cloudflare). Please report those to the respective vendor.
  • Social engineering against our staff or volunteers, physical attacks against our infrastructure, denial-of-service or volumetric testing.

Safe harbour

If you act in good faith, follow the guidance on this page, and don’t access more data than necessary to prove a finding, we treat your research as authorised. We will not pursue legal action and will work with you to resolve the issue. If you’re unsure whether a planned test is okay, ask first.

Acknowledgements

No advisories published yet. When we have our first, this section will become the public hall-of-fame — researcher name, date acknowledged, brief one-line summary, and a link to the fix commit.

Machine-readable companion: /.well-known/security.txt · [email protected]