security
Contact and coordinated-disclosure policy
##
contact
Encrypted email preferred for anything sensitive. For low-sensitivity contact (acknowledgement, scheduling), unencrypted email is fine.
##
disclosure policy
Coordinated disclosure
Findings are disclosed under a 90-day window from first contact, shorter by mutual agreement when actively exploited or when the fix can ship faster.
Minimum-impact probing
I do not probe past the minimum required to confirm a finding. Empty-body requests, single-record reads, and schema inspection are preferred over enumeration or exploitation.
No data retention
I do not retain user data. Reproduction notes contain only what is needed to demonstrate the finding and are kept as a defensive audit trail, not as a dataset.
No public release before fix
I do not disclose publicly without prior notice to the affected party and an opportunity to remediate. The 90-day clock is the ceiling, not the default.
No bundled commerce
Disclosure messages do not contain payment requests. If a paid engagement makes sense as a follow-up, it is proposed separately after the disclosed issue is acknowledged.
##
what I expect from recipients
Acknowledgement within 3 business days
A reply confirming receipt and naming a contact for ongoing coordination. Auto-responses do not count.
A fix timeline proportional to severity
Critical findings should land a fix or interim mitigation within days. Lower-severity findings within the 90-day window.
No legal threats for good-faith reporting
Recipients that respond to coordinated disclosure with cease-and-desist letters or threats of action will be added to a public list of organisations to avoid disclosing to.
Optional public acknowledgement
Once the issue is fixed, a one-line mention in the acknowledgements section below — only with explicit permission.
##
engagement work
For platforms that want a structured review beyond an incidental finding, I take paid security engagements. Typical scope: public-surface audit, authenticated review against a self-provisioned test account, authorisation pattern analysis, and a written disclosure-style deliverable with reproduction commands and remediation steps.