Security Contact and Vulnerability Disclosure

You are permitted to try and hack, without fear of prosecution, the public-facing servers I run and own as long as you alert me immediately once you succeed and make your best effort not to deny service to any of my users. Currently, the only server that falls under this agreement is the one at the IP address that defuse.ca resolves to. This does not include my personal email, my employer's websites, or other systems running in the same datacenter as one of my servers (that I don't own).

If you find a bug in any of my services or software, please immediately disclose it to the public and then email me about it. The best way to do that is to open an issue on the project's GitHub issue tracker. An alternative is to send an email to the Full Disclosure mailing list.

If you feel uncomfortable disclosing a vulnerability to the public without first notifying me, you are welcome to contact me first, but it is unnecessary.

Backdoor Insertion Proof-of-Concept Bounty: The first time someone tricks me into inserting the string "BackdoorPoCTwitter" into a release of any of my software projects, I will pay them $100 USD.