Security Policy - Vulnerability Disclosure

Version 1.0 | Last updated: February 2026

Introduction

johlem.net takes security seriously. We welcome responsible disclosure of security vulnerabilities that may affect our website, tools, or infrastructure.

Reporting a Vulnerability

security@johlem.net

Encrypt sensitive reports using our PGP key (available on request).

What to Include

Detailed description of the vulnerability
Step-by-step reproduction instructions
Affected URL(s), parameter(s), or component(s)
Potential impact assessment
Proof-of-concept code or screenshots
Your recommended remediation (optional)
Your contact information for follow-up

Scope

In Scope

johlem.net main website
*.johlem.net subdomains
All security tools hosted on /tools/
APIs and backend services

Out of Scope

Social engineering attacks
Physical security attacks
Denial of Service (DoS/DDoS)
Spam or phishing using our brand
Third-party services and integrations
Vulnerabilities requiring unlikely user interaction
Issues in outdated browsers
Missing security headers on non-sensitive pages
Information disclosure of non-sensitive data

Qualifying Vulnerabilities

Remote Code Execution (RCE)
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
Authentication/Authorization bypass
Sensitive data exposure
Directory traversal
Insecure direct object references
Security misconfigurations with real impact

Rules of Engagement

Do not access, modify, or delete data belonging to others
Do not perform actions that could harm service availability
Do not use automated scanners without prior approval
Do not exploit vulnerabilities beyond proof-of-concept
Do not publicly disclose before we have addressed the issue
Provide reasonable time for remediation (minimum 90 days)
Act in good faith throughout the process

Our Commitment

Response Timeline

Initial acknowledgment	Within 48 business hours
Severity assessment	Within 5 business days
Status updates	Every 2 weeks minimum
Resolution target	30-90 days depending on severity

What We Will Do

Acknowledge receipt of your report promptly
Investigate and validate the vulnerability
Keep you informed of our progress
Credit you in our acknowledgments (with permission)
Notify you when the issue is resolved

Safe Harbor

Security research conducted in accordance with this policy is considered authorized. We will not pursue legal action against researchers who:

Follow this disclosure policy
Act in good faith
Avoid privacy violations and data destruction
Do not disrupt our services

Recognition

We believe in recognizing security researchers who help us improve. With your permission, we will:

List your name/handle on our Security Acknowledgments page
Provide a reference letter upon request

Note: We do not currently offer monetary rewards (bug bounty). This may change in the future.

Contact

Security reports: security@johlem.net
PGP key: Available on request
security.txt: /.well-known/security.txt

Security Acknowledgments | Quick Reference

JOHLEM