A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security@jameslhc.com
Acknowledgements: We appreciate the efforts of security researchers in helping us improve our security.
Preferred-Languages: en
Canonical: https://jameslhc.com/.well-known/security.txt

Policy:
- We prioritize the security of our systems and appreciate responsible disclosure of vulnerabilities.
- If you find a vulnerability, please report it to us via email to the address mentioned above.
- Please provide sufficient information to reproduce the issue for prompt resolution.
- Do not disclose the vulnerability to others until it has been resolved.
- Do not perform any destructive or unauthorized actions on our systems.
- We commit to maintaining strict confidentiality and will not share your personal details without your consent.
- We aim to respond to your report within 7 business days with an evaluation and expected resolution timeline.
- Once the issue is resolved, we will credit you as the discoverer, unless you request otherwise.
- We do not take legal action against security researchers who follow responsible disclosure practices.
- We appreciate your contribution in helping us maintain the security of our systems.

Out of scope vulnerabilities:
- Deadlinks
- Email spoofing
- Missing DNSSEC, CAA, CSP headers, DMARC record
- Content spoofing and text injection without demonstrating an attack vector/modifying HTML/CSS
- Lack of Secure or HTTP only flag on non-sensitive cookies
- Clickjacking on non-sensitive pages
- Unauthenticated/logout/login CSRF
- Attacks requiring physical or MITM access
- Activities that may disrupt our service (DoS)