Vulnerability Reports

From a defense perspective, Information Security is tough to get right. Even when everything has been done correctly, vulnerabilities in software and hardware exist that you either have no knowledge of, or are unable to resolve for some reason.

In theory (and so far, in practice) nothing is ever 100% secure. A defender has limited time to find and fix every issue, whereas an attacker has unlimited time to find and exploit just one.

If I have found an issue with a system you are responsible for…

I have not done so maliciously and I don’t want anything for it (unless you participate in or otherwise offer a bug bounty of course!) with one exception: for the problem to be resolved. I may also like to write about it as per responsible disclosure, but if you do not wish for this to happen please tell me. I will always attempt to make contact first, several times, before publishing anything. Normally this will be at a minimum 90 days after first contact, though if the issue is judged to be very severe and I don’t hear anything back from you this 90 day delay may get reduced. I’ll let you know, though.

If you have found an issue on this site or something hosted on this server…

Want to dig about? Or have you happened across something interesting? The only rules are “don’t leak/share personal data” (including information about the issue) and “try to not take anything offline”.

Whether it’s full-blown RCE, minor information disclosure or something that I just haven’t bothered to update, feel free to get in touch and let me know! I can’t pay, but I’ll add your name/alias/handle/etc to this page. It’s not much, but it’s something 🙂

These fine people have reported an issue…

Nobody so far! Be the first?

We can’t fix every security issue out there, but if we can fix just one it makes everyone that little bit safer.

You can see any information security related posts I’ve already made by checking out the infosec tag.