To help with his goal, he has launched several websites which provide free and useful content to help people secure their systems and data. He wants all users browsing his websites to know he cares about their security and implements the following security controls across all websites he operates:
- Encrypted communications between users' browsers and websites by using HTTPS with good configuration.
- Security Headers that help to enforce HTTPS, restrict unauthorised content and block user-based attacks such as Click-jacking, and Cross-site scripting
- Filters malicious requests targeting applications based on known and unknown attacks.
- Periodic web vulnerability scans (automated and manual).
- Independent security checks from a close team of volunteer cyber security professionals.
- Welcomes responsible communication of security issues discovered by anyone browsing his sites.
- A security.txt file to guide security researchers as part of the .security.txt initiative.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us
- Only share information about any vulnerabilities you’ve discovered using communication channels from the section below How to report ...?.
If you follow these guidelines when reporting an issue to, Gavin commits to:
- Not pursuing or support any legal action related to your research
- Working with you to understand and resolve the issue quickly
- Recognizing your contribution on the Security Researcher Hall of Fame, if you are the first to report the issue and he has to make a code or configuration change based on the issue..
- Any services hosted at the domains not listed above.
In the interest of the safety of users and you as a security researcher, the following test types are excluded from scope:
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes
- Network/Web level Denial of Service (DoS/DDoS) vulnerabilities
If you believe you’ve found a security vulnerability in one of the in-scope websites, please send it to us by emailing as plain text or PDF to [email protected]. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability (e.g. screenshots)
- Your name/social media handle.
Security configurations are continuously improved in line with good industry practices and developments. Although Gavin's websites are not under any type of regulatory or legal requirements, he continuously applies good security practices to protect all websites and users from harm.
This Security Policy was last updated on August 26, 2018. This policy can change without notice but will always ensure users and researchers have transparency about security when browsing any websites Gavin controls.