To help with his goal, he has launched several websites which provide free and useful content to help people secure their systems and data. He wants all users browsing his websites to know he cares about their security and implements the following security controls across all websites he operates:
- Encrypted communications between users' browsers and websites by using HTTPS with good configuration.
- Security Headers that help to enforce HTTPS, restrict unauthorised content and block user-based attacks such as Click-jacking, and Cross-site scripting
- Filters malicious requests targeting applications based on known and unknown attacks.
- Periodic web vulnerability scans (automated and manual).
- Independent security checks from a close team of volunteer cyber security professionals.
- Welcomes responsible communication of security issues discovered by anyone browsing his sites.
- A security.txt file to guide security researchers as part of the .security.txt initiative.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us
- Share discovered vulnerabilities only using the contact methods listed at the Contact page HERE.
If you follow these guidelines when reporting an issue, Gavin commits to:
- Not pursuing or support any legal action related to your research
- Working with you to understand and resolve the issue quickly
- Recognizing your contribution on the Security Researcher Hall of Fame, if you are the first to report the issue and he has to make a code or configuration change based on the issue.
- Any services NOT hosted at the domains listed above.
In the interest of users and you as a security researcher, the following test types are not permitted or encouraged:
- Testing focused on social engineering (e.g. phishing, vishing)
- Testing of systems not listed in the ‘Scope’ section
- Any form of Denial of Service (DoS/DDoS) testing
If you believe you’ve found a security vulnerability in one of the in-scope websites, please send it to us by emailing as plain text or PDF to [email protected]. Please include the following details with your report:
- Description of the issue and the affected URL/IP.
- Proof of concept to reproduce the vulnerability (e.g. screenshots)
- Your name/social media handle
Security configurations are continuously improved in line with good industry practices and developments. Although Gavin's websites are not under any type of regulatory or legal requirements, he continuously applies good security practices to protect all websites and users from harm.
This Security Policy was last updated on August 26, 2018. This policy can change without notice but will always ensure users and researchers have transparency about security when browsing any website Gavin controls.