This page describes how I handle security research, both when I report issues to others and when I receive reports about projects I maintain. The goal is simple: get real problems fixed while treating everyone involved fairly and lawfully.

Reporting a vulnerability to me

If you believe you have found a security issue in a project I maintain or operate, please email security@mail.mcpsec.dev. Helpful reports include:

  • A description of the issue and its potential impact.
  • Steps to reproduce, or a proof of concept.
  • The affected version, URL, or component.

I aim to acknowledge reports within a few business days. Please give me a reasonable opportunity to investigate and remediate before any public disclosure, and do not access, modify, or destroy data that is not yours while researching.

How I disclose to vendors and maintainers

When I find a vulnerability in someone else’s software, I follow coordinated disclosure:

  1. I contact the maintainer or vendor privately with the technical details and remediation guidance.
  2. I allow reasonable time to develop and ship a fix, typically up to 90 days, and I am flexible when a maintainer is engaged and working in good faith.
  3. I publish an advisory once a fix is available or the disclosure window has closed, so others can understand and defend against the issue.

How I notify affected site operators

Some vulnerabilities affect large numbers of internet-facing installations. When that happens, I may notify individual operators that their site appears to be running a vulnerable or end-of-life component. In every case:

  • I rely only on publicly available information the site already serves, such as a version manifest.
  • I do not exploit the vulnerability, access private data, or attempt to gain unauthorized access.
  • The notice points to a page on this site explaining what to check and how to fix it. See For Site Operators.

What I will never do

  • Ask you for money, passwords, credentials, or access to your systems.
  • Pressure you or threaten to publish your details.
  • Access, alter, or exfiltrate data that is not mine.

Privacy

I take security and privacy seriously. Information shared with me as part of a report is used only to investigate and remediate the issue, and is not sold or shared for unrelated purposes.