Security and disclosure policy

This page is about our security and disclosure policy. Have a look at our privacy policy if you are looking for privacy-related topics.

Security contact

For us, security and privacy take top priority

✅ No logging by default – ✅ Minimal data processing

The InfoSec Handbook doesn’t track people. By default, our web server processes your IP address to serve our content. That’s all. We do not log your personal data. We concluded a data processing agreement according to Article 28 GDPR with our server provider (see our privacy policy).

✅ Single-purpose server – ✅ No databases

The InfoSec Handbook runs on a dedicated virtual server. This server does not run any other public services (e.g., no database server, no mail server, no messaging server).

✅ Security monitoring – ✅ Strong authentication – ✅ Defined processes

The InfoSec Handbook implements current security practices. The core of our server is a hardened Linux installation. “Hardened” means we installed only necessary software on the server and applied strict configuration. We monitor files for changes and login attempts. Two-factor authentication is mandatory to access the server. We install security patches within a narrow time frame and quickly respond to potential security incidents.

✅ 100% static content – ✅ No CMS, PHP, or JavaScript – ✅ No 3rd party content

The InfoSec Handbook consists of 100% static content. We don’t use content management systems (CMS), PHP, or JavaScript. We don’t embed any third-party content, and all links to third-party websites are visually marked. If you navigate to third-party websites, the new browser tab runs in a separate process in your web browser, and we strip any Referrer information.

Disclosure policy

We love “responsible disclosure.” We won’t take legal action against you as a penetration tester if you observe the law, and we won’t publish your identity by default.

Please stay with the following process if you want to report potential security issues on the InfoSec Handbook:

  1. Observe the testing requirements: Act professionally! Don’t flood our web server with millions of requests. Don’t execute random attacks. Don’t manipulate or destroy any data.
  2. Remain in scope!
  3. Send your report, which includes a brief description of the potential security issue (What is affected?) and a step-by-step guide that allows us to reproduce it. If necessary, add screenshots or proof of concept code.
  4. We check your report and get in touch with you. Expect our initial feedback within 3–5 days. We wait for 14 days for your feedback.
  5. Depending on the evaluation and your wish, we may add your name to our Acknowledgments section.
  6. We publish anonymous information regarding the issue in our Git repository to inform other testers.


The disclosure policy on this page is valid for the following domain names (and underlying servers):

Domain nameEligible for bug bounties
Any other domainno

Bug bounties (guideline)

The following bounties are only a guideline. We discuss the actual bounty with reporting parties. If you report a valid security vulnerability and meet all of the testing requirements on this page, you may get a bug bounty as stated in the following table:

Type of vulnerabilityBug bounty up to
Security-relevant configuration weaknessAcknowledgment
Information leakage (except personal data)€75
Code injection (e.g., HTML, JS)€100
Unauthorized access (user-level)€100
Remote Code Execution (RCE)€150
Leakage of personal data€175
Unauthorized access (root-level)€175
Vulnerability requiring physical accessOut of scope
Legacy or future HTTP response headersOut of scope

We pay via bank wire transfer (EU countries only) or Stellar Lumens (XLM). Additional legal regulations and requirements regarding payments may exist in your country.


We thank the following researchers and testers:

2019-08-28UndisclosedUnintended metadata in some files€25


We updated this page on March 11, 2021.