- We provide a security.txt file for structured security contact information.
- See our contact page for contact details and our OpenPGP key.
For us, security and privacy take top priority
✅ No logging by default – ✅ Minimal data processing
✅ Single-purpose server – ✅ No databases
For security, we provide our website using a dedicated virtual server. There aren’t any other public services on this server (e.g., no database server, no mail server, no messaging server).
✅ Security monitoring – ✅ Strong authentication – ✅ Defined processes
We permanently monitor our server to check for modified files and login attempts. Two-factor authentication is needed to access our server. The core of our server is a hardened Linux installation. Hardening means that we removed unnecessary packages and applied strict configuration at the kernel level. Finally, we implemented processes to ensure the installation of security updates within a narrow time frame and quick reaction to reported potential security vulnerabilities.
✅ 100% transparency – ✅ Available on archive.org – ✅ No hidden changes
You find all changes on InfoSec Handbook on codeberg.orgexternal link. Our commits are cryptographically signed. When we update our content, we add a small changelog to the bottom of the post, listing the most significant changes. Moreover, our website is listed on archive.orgexternal link. This way, you can go back in history and check our changes.
Did you find a potential security vulnerability? You find our security-related contact details above. We won’t take legal action against you as a penetration tester if you observe the law, and we won’t publish your identity by default.
Besides, we run a bug bounty program to ensure the highest level of security and privacy. Everyone is eligible to participate in the program as described by this policy.
We are big fans of “coordinated disclosure.” Due to this, we stay with the following process:
1. You start to test for security vulnerabilities
First of all, thanks for helping us to improve the security of the InfoSec Handbook. Please look at the scope and observe the testing requirements. If you have any further questions, please do not hesitate to contact us.
2. You send us a private report
You privately report a potential security vulnerability. Use the communication channels mentioned above. Use our OpenPGP key, and provide your OpenPGP key!
You may submit your report anonymously; however, we can’t get in touch with you in this case.
3. We check your report and you get our feedback
We check your initial report. Depending on our investigation, we either:
- fix the vulnerability and get in touch with you regarding your bug bounty and coordinated disclosure, or
- get in touch with you to request additional information, or
- inform you about the ineligibility of your report.
Expect our initial feedback within 5 days.
4. We wait for your feedback
After sending our feedback to you, we wait up to 30 days for your response.
5. We publish information about your report
The final step of the coordinated disclosure process can be:
- We agree on coordinated disclosure of the fixed vulnerability. Upon request, we add your name to our Acknowledgments section.
- We publish information regarding an invalid vulnerability to inform future testers.
Scope and possible bug bounties
The disclosure policy on this page is valid for the following domain names (and underlying servers):
|Domain name||Eligible for bug bounties|
|All other domains operated by us||no|
The following bounties are only a guideline. We include the actual bug bounty in our responses. If all testing requirements were met, we offer the following bounties:
|Type of vulnerability||Bug bounty up to|
|Security-relevant configuration weakness||Acknowledgment|
|Information leakage (except personal data)||€75|
|Code injection (e.g., HTML, JS)||€100|
|Unauthorized access (user-level)||€100|
|Remote Code Execution (RCE)||€150|
|Leakage of personal data||€175|
|Unauthorized access (root-level)||€175|
Out-of-scope are vulnerabilities of software that we don’t use, vulnerabilities that require physical access to our servers, and recently disclosed 0-day vulnerabilities. If you report out-of-scope vulnerabilities, you may still be eligible to be listed below.
Bug bounties can only be paid via bank wire transfer (EU countries only) or Stellar Lumens (XLM). There may exist additional legal regulations and requirements regarding payments and bug bounties in your country.
Testing requirements and code of conduct
Please observe our testing requirements and code of conduct:
1. Check whether you are the first reporter
You must be the first reporter of a potential vulnerability. Please go to our issue trackerexternal link BEFORE reporting anything, and check whether somebody already reported the potential vulnerability.
2. Check the scope
The reported vulnerability and the domain name must be in scope.
3. Provide a report
Please include the following in your report:
- A brief description of the security vulnerability (Which software is affected? What is the issue?)
- A brief description of risks originating from the security vulnerability (What are risks for our website?)
- A step-by-step guide that allows us to reproduce the issue
If necessary, add screenshots or proof of concept code.
4. Do not act unprofessionally
- Do not randomly attack our server with automated tools. Flooding our servers with millions of requests or executing random attacks neither is something a professional penetration tester does nor something that we want to see.
- Do not leak, manipulate, or destroy any data on our servers.
- Do not publish anything regarding a confirmed and unpatched vulnerability without our prior permission.
- Do not use abusive language, act criminally, or impersonate us.
- Do not demand a bug bounty, or try to press us for money.
We would like to thank the following researchers and testers:
|2019-08-28||Undisclosed||Unintended metadata in some files||€25|
We updated this page on May 28, 2020. For transparency, we provide a complete changelog of this page on codeberg.orgexternal link.