Responsible Disclosure Policy

How to report security vulnerabilities

Our Commitment

At johlem.net, security is our core business. We take all security reports seriously and appreciate the efforts of security researchers who help us maintain a secure platform.

How to Report

If you discover a security vulnerability, please report it to:

security [at] johlem [dot] net

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code (if applicable)
  • Your contact information (optional)

Scope

In Scope

  • johlem.net (main website)
  • *.johlem.net (all subdomains)
  • Security tools (hash generator, email analyzer, etc.)

Out of Scope

  • Social engineering attacks against employees
  • Physical attacks against our infrastructure
  • Denial of Service (DoS/DDoS) attacks
  • Spam or social engineering via contact forms
  • Third-party services or applications

Guidelines

We ask that you:

  • Do not access, modify, or delete data belonging to others
  • Do not disrupt our services or degrade user experience
  • Do not exploit vulnerabilities beyond what is necessary for proof-of-concept
  • Give us reasonable time to address the issue before public disclosure
  • Act in good faith and avoid privacy violations

Our Response

When you report a vulnerability:

  • Acknowledgment: Within 48 business hours
  • Initial assessment: Within 5 business days
  • Status updates: Every 2 weeks until resolution
  • Resolution notification: Once the issue is fixed

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized: We will not pursue legal action against researchers who follow this policy
  • Lawful: We will not report you to law enforcement for activities consistent with this policy
  • Helpful: We will work with you to understand and resolve the issue quickly

This safe harbor applies only to activities conducted in compliance with this policy. Activities that endanger our users, systems, or data integrity fall outside this protection.

Recognition

We believe in recognizing the contributions of security researchers:

  • With your permission, we will acknowledge your contribution on our security acknowledgments page
  • We may provide a letter of recommendation for significant findings

Note: We currently do not offer monetary rewards (bug bounties), but we deeply appreciate your contribution to our security.

Contact

Security Reports: security [at] johlem [dot] net
PGP Key: Available upon request
security.txt: /.well-known/security.txt