Security & Disclosure Policy
We take security seriously. If you've found a vulnerability in this site, we want to hear from you responsibly.
Reporting a Vulnerability
If you believe you've found a security vulnerability in ReconHygiene.com, please disclose it responsibly by contacting us directly. We commit to:
- Acknowledging receipt of your report within 48 hours
- Providing a status update within 7 days
- Working to resolve confirmed vulnerabilities within a reasonable timeframe
- Crediting reporters who request acknowledgment (in our changelog or disclosure post)
How to Report
Send vulnerability reports to: security@reconhygiene.com
Please include:
- Description of the vulnerability
- Steps to reproduce (proof-of-concept if applicable)
- Potential impact assessment
- Any suggested remediation (optional)
Scope
In scope for responsible disclosure:
- reconhygiene.com and all subdomains
- Contact form security issues
- Security header configuration issues
- Content injection or XSS vectors
Out of scope:
- Denial of service attacks
- Social engineering of site operators
- Physical attacks
- Third-party services (Formspree, Cloudflare)
Security Posture
This site is designed with security-first principles:
- Static site — no server-side database or CMS login endpoints
- Enforced HTTPS with HSTS preloading
- Content Security Policy with strict source restrictions
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Minimal dependencies, locked package versions
- Privacy-first analytics (no invasive tracking)
Bug Bounty
This is a personal/professional site and does not currently offer a formal bug bounty. However, significant findings will be acknowledged publicly (with reporter consent) and we will credit your work.
Machine-Readable Policy
A machine-readable security.txt file is available at /.well-known/security.txt per RFC 9116.
Last updated: January 2025