I'm adding a security.txt to my site, and as part of it, I have the opportunity to include a security policy, which is supposed to "help security researchers understand the organization's vulnerability reporting practices".

Rules of engagement

First things first, some ground rules.

  1. Make sure, if you're reporting something novel to me, to also report it upstream if it's something I don't maintain, like Mastodon. I run a lot of things I don't maintain myself.
  2. Please don't hammer my things with requests or work between 8 PM and 6 AM UTC. I sleep in the same room as my servers. Fans in 1U servers get noisy under load.

Disclosure

I prefer coordinating disclosure, so I have a shot at fixing things - but if you can't get ahold of me in 30 days, go nuts.

Compensation

I work a part time job due to my disabilities, so I can't generally afford bug bounties. I can scrounge something up if it's something really big, but usually the most I can offer is shoutouts, (virtual) headpats, and/or mailing you a postcard.