Very simple draft on pentesting since I have not found the time to setup proper rules yet.
So here are the rules for now:
Feel free to pentest my site but don't go around and fetch private stuff.
Pentesting is only allowed on the "testing" site, not on the live site.
Try to keep damage to a bare minimum (eg. don't go around and cause DoS'es, unless it's the actual exploit).

Reports can be opened on the Gitlab repo but make sure to to mark is as "confidential" (see about -> Website Sourcecode) or by contacting me somewhere else (eg. my mail).

Currently, there are no bug-bounties outside of a shoutout (if desired).
I may edit this statement at any time I want.

TL;DR: just don't be an asshole.