Security and disclosure policy

This page is about our security and disclosure policy. Have a look at our privacy policy if you are looking for privacy-related topics.

Security contact

For us, security and privacy take top priority

✅ No logging by default – ✅ Minimal data processing

The InfoSec Handbook doesn’t track people. By default, our web server processes your IP address to serve our content. That’s all. We do not log your personal data. We concluded a data processing agreement (Article 28 GDPR) with our server provider (see our privacy policy).

✅ Single-purpose server – ✅ No databases

The InfoSec Handbook runs on a dedicated virtual server. This server does not run any other public services (e.g., no database server, no mail server, no messaging server).

✅ Security monitoring – ✅ Strong authentication – ✅ Defined processes

The InfoSec Handbook enforces current security practices. The core of our server is a hardened Linux installation. “Hardened” means we implemented the Principle of Least Functionality and Principle of Least Privilege. We monitor our server (e.g., login attempts, file changes). Two-factor authentication is mandatory to access the server. We install security patches within a narrow time frame and quickly respond to potential security incidents.

✅ 100% static content – ✅ No CMS, PHP, or JavaScript – ✅ No 3rd party content

The InfoSec Handbook consists of 100% static content. We don’t use content management systems (CMS), PHP, or JavaScript. We don’t embed any third-party content, and all links to third-party websites are visually marked. If you navigate to third-party websites, the new browser tab runs in a separate process in your web browser, and we strip any Referrer information.

Disclosure policy

We love “responsible disclosure.” We won’t take legal action against you as a penetration tester if you observe the law, and we won’t publish your identity by default.

Please stay with the following process if you want to report potential security issues on the InfoSec Handbook:

  1. Observe the testing requirements: Act professionally! Don’t flood our web server with millions of requests. Don’t execute random attacks. Don’t manipulate or destroy any data.
  2. Remain in scope. Test only!
  3. Send your report, which includes a brief description of the potential security issue (What is affected?) and a step-by-step guide that allows us to reproduce it. If necessary, add screenshots or proof of concept code.
  4. We check your report and get in touch with you. Expect our initial feedback within 3–5 days. We wait for 14 days for your feedback.
  5. Depending on the evaluation and your wish, we may add your name to our Acknowledgments section.

We don’t participate in any bug bounty programs anymore due to unprofessional behavior of several people.


We thank the following researchers and testers:

2019-08-28UndisclosedUnintended metadata in files


We updated this page on September 4, 2021.