Security Disclosure

Purpose

We welcome responsible reports of security issues that could affect Aetherweb, our clients, or visitors. This page explains how to report, what’s in scope, and how we respond.

How to report

  • Email: security@aetherweb.co.uk
  • Format: plain text only (no attachments/links)
  • Include: affected URL(s), impact, step-by-step reproduction, exact HTTP requests/responses (redact secrets), timestamps & source IPs, test account (if needed).
  • PGP (optional):
    Public Key: -----BEGIN PGP PUBLIC KEY BLOCK----- … -----END PGP PUBLIC KEY BLOCK-----
    Fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

Our commitments

  • We’ll acknowledge valid reports within 3 business days.
  • We’ll provide status updates at least every 14 days until resolved.
  • We’ll credit researchers by name/handle (if you want) on our Hall of Thanks.
  • We do not operate a paid bug bounty; no monetary rewards are offered.

Coordinated disclosure

  • Please allow us up to 90 days to remediate before public disclosure, or longer if mutual agreement is needed for complex fixes.

Scope

In scope (examples):

  • aetherweb.co.uk and subdomains owned by Aetherweb
  • Authentication/session issues (IDOR, CSRF, SSRF, authz bypass)
  • Injection (SQLi, XSS, template, header injection)
  • Sensitive data exposure / access control flaws
  • Misconfigurations with security impact

Out of scope (examples):

  • Clickjacking on non-sensitive endpoints
  • SPF/DMARC/BTLS “best-practice” gaps without exploit
  • Rate-limiting/DoS, volumetric attacks, spam/DMARC reports
  • Missing security headers with no practical exploit
  • Self-XSS, mixed content, open redirects without impact
  • Vulnerabilities in third-party services not operated by us

Testing rules (do’s & don’ts)

Allowed (with care):

  • Your own accounts and test data
  • Non-destructive proof-of-concepts
  • Automated scanning at low rate that won’t impact availability

Strictly prohibited:

  • Denial of service or stress testing
  • Accessing, altering, or exfiltrating real customer data
  • Social engineering, phishing, or physical intrusion
  • Planting malware/backdoors
  • Persistence beyond proving impact

Safe harbor

If you act in good faith, follow this policy, avoid privacy violations, and do not disrupt services, we will not initiate legal action and will consider your testing authorized under the Computer Misuse Act / CFAA analogues for the limited purpose of reporting the vulnerability to us.

Legal & privacy

  • Don’t share vulnerability details publicly until we resolve them.
  • Delete any data obtained during testing once reported.
  • Processing of your report is under UK GDPR/DPA 2018; we retain minimal data for triage and audit.

Hall of Thanks

We appreciate researchers who help keep our users safe. With your permission, we’ll list your name/handle and (optionally) a link here.

security.txt

Our security contact details are also published at: /.well-known/security.txt.

Last updated: 2025-11-05