Santosh Pandit

Legal

Security Policy

We take the security of this site seriously. If you find a vulnerability, we want to know about it.

Infrastructure

santoshpandit.com is served from infrastructure built to the ZTZT.dev Zero Trust Zero Tolerance standard. This means: TLS 1.3 only (no TLS 1.2 or earlier), hybrid post-quantum cipher suites enabled, strict transport security (HSTS) with preloading, no third-party CDNs, no third-party JavaScript, no external API dependencies, and least-privilege access controls throughout the server stack.

Full technical details of the server security architecture are documented at ztzt.dev.

Responsible disclosure

If you discover a security vulnerability in this website — including but not limited to injection vulnerabilities, authentication issues, information disclosure, or misconfiguration — please report it responsibly before public disclosure.

To report a vulnerability:

  • Email security@santoshpandit.com with a clear description of the issue, the steps to reproduce it, and any proof-of-concept you have developed.
  • Please do not access, modify or delete data that does not belong to you.
  • Please do not conduct automated scanning beyond what is needed to demonstrate the vulnerability.
  • Please allow reasonable time (typically 14 days) for the issue to be investigated and remediated before any public disclosure.

We will acknowledge your report within two working days. We will keep you informed of progress. We will credit researchers who follow responsible disclosure practices if they wish to be credited.

Scope

In scope: santoshpandit.com and any subdomains. Out of scope: third-party services and websites linked from this site.

What we do not consider vulnerabilities

  • Reports generated by automated scanners without manual verification of exploitability.
  • Missing HTTP security headers that are already present (please check the actual response headers before reporting).
  • Clickjacking on pages with no sensitive actions.
  • Theoretical vulnerabilities with no demonstrated impact.
  • Social engineering attacks against the site owner.

Security headers

This site implements the following security controls, which you are welcome to verify independently:

  • HTTPS enforced, HSTS with preloading enabled
  • TLS 1.3 only, post-quantum hybrid cipher suites
  • Content-Security-Policy (strict)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: no-referrer
  • Permissions-Policy (restrictive)

Last updated

April 2026.