Responsible Disclosure Policy
This policy applies to security vulnerabilities discovered in:
- hostphyl.com and all associated subdomains
- Hostphyl-operated API endpoints
- Any other web properties owned and operated by Hostphyl
- All client websites hosted or managed by Hostphyl
Hostphyl acts as the primary point of contact for all security-related matters concerning both our own sites and those of our managed clients. Because we design, build, and host sites for many organizations, we coordinate the entire disclosure and remediation process on behalf of affected clients where necessary.
Disclosure Guidelines
Section titled “Disclosure Guidelines”Rules of Engagement
Section titled “Rules of Engagement”For client websites, Hostphyl coordinates all testing activities with the respective clients. This means:
- Hostphyl obtains required permissions before any coordinated testing
- Clients are informed when active assessments are taking place
- Testing schedules may be adjusted to avoid service disruption
- Critical findings impacting client data are escalated immediately to Hostphyl and the affected client
Security researchers must:
- Test only against accounts you own or have explicit permission to use
- Not disclose vulnerability details publicly until remediation is complete
- Avoid accessing, modifying, or deleting another user’s data
- Avoid actions that degrade service availability or performance
- Cease testing immediately and notify us if sensitive data is encountered
Explicitly Forbidden Actions
Section titled “Explicitly Forbidden Actions”The following are strictly prohibited unless you have explicit written authorization from Hostphyl:
- Denial-of-Service (DoS/DDoS) or resource-exhaustion attacks
- Social engineering, phishing, or physical security testing
- Testing third-party services or integrations we do not own (you must also have explicit written authorization from the the third party)
- Automated scanning, mass vulnerability reporting, or use of automated tools without prior coordination
Generic or automated “header scans,” “low-risk best-practice findings,” or any submissions intended for marketing or lead generation will be disregarded.
Using this communication channel for any activities outside of vulnerability disclosure, including but not limited to: marketing and lead generation, will be ignored and your domain blocked.
Reporting Requirements
Section titled “Reporting Requirements”Your report should include:
- A detailed description of the vulnerability
- Step-by-step reproduction instructions
- Proof-of-concept code or screenshots (if applicable)
- An impact assessment
- Suggested mitigations or recommendations (optional)
Reports lacking reproducible detail may be closed as non-actionable.
Communication and Resolution Process
Section titled “Communication and Resolution Process”Initial Submission:
Section titled “Initial Submission:”Send all reports to security-disclosures@hostphyl.com.
- You’ll receive an acknowledgment within 72 hours.
Assessment:
Section titled “Assessment:”Reports are triaged and severity-rated within 72 hours based on impact, exploitability, and affected systems.
- Non-actionable or duplicate reports may be closed immediately.
- If the issue involves a client property, Hostphyl notifies and coordinates directly with the affected client.
Remediation & Timelines:
Section titled “Remediation & Timelines:”| Severity | Typical Response | Target Fix Window |
|---|---|---|
| Critical | 24 hours | Within 7 days |
| High | 24 hours | Within 14 days |
| Medium/Low | 72 hours | Within 30 days |
Hostphyl and affected clients may adjust these timelines depending on operational impact or complexity.
Verification:
Section titled “Verification:”Researchers may be invited to confirm fixes. Hostphyl ensures successful deployment before public disclosure or acknowledgment.
Status Updates:
Section titled “Status Updates:”Updates will be provided approximately every 72 hours until resolution or closure.
Public Disclosure:
Section titled “Public Disclosure:”Coordinated disclosure occurs only after the fix is deployed and (if applicable) the client has approved release details.
Compensation and Recognition
Section titled “Compensation and Recognition”- All vulnerability reports must be provided without expectation of compensation
- The use of security tools or vulnerability testing for soliciting services or “beg bounties”, or purposly witholding information in exchange for finacial compensation is prohibited (Troy Hunt is awesome BTW)
- Hostphyl does not operate a paid bug bounty program at this time
- Researchers may receive:
- Public acknowledgment (with permission)
- Letter of appreciation
- Recognition in our security hall of fame (with permission) (coming soon!)
Legal Safe Harbor
Section titled “Legal Safe Harbor”Researchers who:
- Comply with this policy
- Make good-faith efforts to avoid privacy violations, data destruction, or service disruption
- Test only within authorized scope
will receive:
- No legal action or law-enforcement referral
- No professional, contractual, or reputational retaliation
We appreciate professionalism and integrity in all research activity.
Our Commitment
Section titled “Our Commitment”Hostphyl commits to:
- Collaborating with researchers to validate and resolve security issues
- Maintaining transparent and respectful communication
- Addressing vulnerabilities within reasonable timeframes
- Providing appropriate recognition for good-faith contributions
- Upholding humility, professionalism, and accountability in all interactions
Contact
Section titled “Contact”To report a security issue or ask a question: