elliot@steffensens.io : ~/security/
index.md blog/ security.md

security

Contact and coordinated-disclosure policy
I report security vulnerabilities I find in third-party services and operate paid security engagements for platforms in fintech, trading, and adjacent domains.

## contact

email security@steffensens.io
pgp key 8C95 0268 8B65 095C A5F7  4CFB 35A3 6068 9074 6986
security.txt RFC 9116
Encrypted email preferred for anything sensitive. For low-sensitivity contact (acknowledgement, scheduling), unencrypted email is fine.

## disclosure policy

Coordinated disclosure
Findings are disclosed under a 90-day window from first contact, shorter by mutual agreement when actively exploited or when the fix can ship faster.
Minimum-impact probing
I do not probe past the minimum required to confirm a finding. Empty-body requests, single-record reads, and schema inspection are preferred over enumeration or exploitation.
No data retention
I do not retain user data. Reproduction notes contain only what is needed to demonstrate the finding and are kept as a defensive audit trail, not as a dataset.
No public release before fix
I do not disclose publicly without prior notice to the affected party and an opportunity to remediate. The 90-day clock is the ceiling, not the default.
No bundled commerce
Disclosure messages do not contain payment requests. If a paid engagement makes sense as a follow-up, it is proposed separately after the disclosed issue is acknowledged.

## what I expect from recipients

Acknowledgement within 3 business days
A reply confirming receipt and naming a contact for ongoing coordination. Auto-responses do not count.
A fix timeline proportional to severity
Critical findings should land a fix or interim mitigation within days. Lower-severity findings within the 90-day window.
No legal threats for good-faith reporting
Recipients that respond to coordinated disclosure with cease-and-desist letters or threats of action will be added to a public list of organisations to avoid disclosing to.
Optional public acknowledgement
Once the issue is fixed, a one-line mention in the acknowledgements section below — only with explicit permission.

## engagement work

For platforms that want a structured review beyond an incidental finding, I take paid security engagements. Typical scope: public-surface audit, authenticated review against a self-provisioned test account, authorisation pattern analysis, and a written disclosure-style deliverable with reproduction commands and remediation steps.
contact hello@steffensens.io (separate from disclosure address)
NORMAL security.md 4 sections utf-8 markdown 1,1 Top