Security Contact and Vulnerability Disclosure

You are permitted to try and hack, without fear of prosecution, the public-facing servers I run and own as long as you alert me immediately once you succeed and make your best effort not to deny service to any of my users. Currently, the only server that falls under this agreement is the one at the IP address that defuse.ca resolves to. This does not include my personal email, my employer's websites, or other systems running in the same datacenter as one of my servers (that I don't own).

Full Disclosure Policy

If you find a bug in any of my services or software, and you judge immediate disclosure to be in the public's best interest, you may immediately disclose it to the public and then email me about it. Feel free to open public issues on the relevant project's GitHub issue tracker. This does not necessarily apply to the projects of my employers, only to my personal projects (non-fork repos under defuse on GitHub).

If you feel uncomfortable disclosing a vulnerability to the public without first notifying me, you are welcome to contact me first, but it is unnecessary.

Backdoor Insertion Proof-of-Concept Bounty

The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects (it could be encoded somehow, like base64), I will pay them $100 USD. (Yes, someone did get a reward for social engineering me into adding this paragraph after I tweeted about the challenge!)