Security reporting policy

I welcome contact from security researchers.

Security vulnerabilities can be found anywhere, and I'd much rather know about them than find out when my data ends up in a data dump somewhere. To that end, if you find a vulnerability on my site I encourage you to report it responsibly to me. In return, I won't take legal action against you, so long as you've followed the guidance here.

What is responsible disclosure?

That's a big discussion point in itself, but in this instance I mean reporting the issue to me, and only me. I'll then look to verify and resolve the issue before you disclose it more widely. You should avoid making any changes to my systems beyond a proof of concept, which must not be malicious.

More information on responsible disclosure on Wikipedia.

What is in scope?

Only vulnerabilities found on jonco-it.co.uk, and its subdomains, are in scope.

No "beg bounties" please

Please do not contact me begging for a financial reward based on your findings. As a small outfit, I do not have the capacity at this time to offer a bounty programme. I will acknowledge researchers below.

Contact

Security issues should be reported to security@jonco-it.co.uk.

Please ensure your message clearly explains the nature of the issue, and provides evidence.

Acknowledgements

At the time of writing no vulnerabilities have been reported to me. Appropriate acknowledgement will be given here in the event that changes.