- Read our security.txt file for structured security contact information.
- See our contact page for contact details.
For us, security and privacy take top priority
✅ No logging by default – ✅ Minimal data processing
✅ Single-purpose server – ✅ No databases
The InfoSec Handbook runs on a dedicated virtual server. This server does not run any other public services (e.g., no database server, no mail server, no messaging server).
✅ Security monitoring – ✅ Strong authentication – ✅ Defined processes
The InfoSec Handbook implements current security practices. The core of our server is a hardened Linux installation. “Hardened” means we installed only necessary software on the server and applied strict configuration. We monitor files for changes and login attempts. Two-factor authentication is mandatory to access the server. We install security patches within a narrow time frame and quickly respond to potential security incidents.
We love “responsible disclosure.” We won’t take legal action against you as a penetration tester if you observe the law, and we won’t publish your identity by default.
Please stay with the following process if you want to report potential security issues on the InfoSec Handbook:
- Observe the testing requirements: Act professionally! Don’t flood our web server with millions of requests. Don’t execute random attacks. Don’t manipulate or destroy any data.
- Remain in scope!
- Send your report, which includes a brief description of the potential security issue (What is affected?) and a step-by-step guide that allows us to reproduce it. If necessary, add screenshots or proof of concept code.
- We check your report and get in touch with you. Expect our initial feedback within 3–5 days. We wait for 14 days for your feedback.
- Depending on the evaluation and your wish, we may add your name to our Acknowledgments section.
- We publish anonymous information regarding the issue in our Git repository to inform other testers.
The disclosure policy on this page is valid for the following domain names (and underlying servers):
|Domain name||Eligible for bug bounties|
|Any other domain||no|
Bug bounties (guideline)
The following bounties are only a guideline. We discuss the actual bounty with reporting parties. If you report a valid security vulnerability and meet all of the testing requirements on this page, you may get a bug bounty as stated in the following table:
|Type of vulnerability||Bug bounty up to|
|Security-relevant configuration weakness||Acknowledgment|
|Information leakage (except personal data)||€75|
|Code injection (e.g., HTML, JS)||€100|
|Unauthorized access (user-level)||€100|
|Remote Code Execution (RCE)||€150|
|Leakage of personal data||€175|
|Unauthorized access (root-level)||€175|
|Vulnerability requiring physical access||Out of scope|
|Legacy or future HTTP response headers||Out of scope|
We pay via bank wire transfer (EU countries only) or Stellar Lumens (XLM). Additional legal regulations and requirements regarding payments may exist in your country.
We thank the following researchers and testers:
|2019-08-28||Undisclosed||Unintended metadata in some files||€25|
We updated this page on March 11, 2021.