Security is important to me, and I appreciate responsible reports from researchers, developers, administrators, and users who believe they have found a security issue affecting jmoorewv.com or any related system that I own or operate.
This Security Disclosure Policy explains how to report a potential vulnerability, what types of testing are allowed, what activity is not permitted, and how security reports will be handled.
Responsible Disclosure
If you believe you have discovered a security vulnerability, please report it privately before sharing it publicly. Responsible disclosure gives me a reasonable opportunity to review, confirm, and address the issue before details are released to others.
Please do not publicly disclose, post, publish, share, sell, or distribute details of a vulnerability until I have had a reasonable amount of time to investigate and correct the issue.
How to Report a Security Issue
Security reports should include enough information to understand, reproduce, and verify the issue. A helpful report may include the affected URL, a description of the issue, steps to reproduce it, screenshots, proof-of-concept details, browser or tool information, and any relevant timestamps.
Please do not include private data, sensitive information, credentials, or information belonging to other users unless it is absolutely necessary to explain the issue.
Security reports may be submitted through the contact methods provided on jmoorewv.com.
Good Faith Testing
Good faith security testing is limited to non-destructive activity that helps identify a possible vulnerability without harming the website, server, services, users, data, uptime, or infrastructure.
Testing should be limited, controlled, and stopped immediately if it appears to affect performance, expose private information, trigger errors, bypass access controls, or cause unintended behavior.
Allowed Testing
You may perform limited, non-destructive testing to confirm the existence of a vulnerability, provided that the testing does not cause harm, does not access private data, does not degrade service, and does not violate the restrictions in this policy.
Examples of generally acceptable testing may include reviewing public pages, checking for basic configuration issues, identifying broken access controls without accessing private data, and providing a harmless proof of concept when necessary.
Prohibited Testing
You may not perform testing that damages, disrupts, degrades, overloads, or attempts to gain unauthorized access to any website, server, account, database, file system, network, service, or third-party system.
Prohibited activity includes denial-of-service testing, automated high-volume scanning, brute-force attacks, credential stuffing, social engineering, phishing, spam, malware deployment, data exfiltration, destructive testing, privilege escalation beyond what is necessary to demonstrate the issue, or attempts to access, modify, delete, or copy data that does not belong to you.
You may not test physical security, employee security, third-party providers, hosting companies, payment processors, domain registrars, email providers, analytics platforms, or any system that I do not own or control.
Privacy and Data Protection
If you accidentally access private, personal, confidential, or sensitive information during testing, you must stop immediately and report the issue without saving, copying, sharing, transferring, modifying, or using the information.
You must not disclose private data to anyone else. Any report involving private information should include only the minimum details necessary to explain the security concern.
No Permission to Access Systems
This policy does not grant permission to access, scan, attack, exploit, copy, modify, delete, disrupt, or interfere with any system beyond the limited good faith testing described above.
Nothing in this policy allows unauthorized access to administrative areas, user accounts, private files, server resources, databases, source code repositories, payment systems, email accounts, analytics accounts, hosting accounts, or third-party services.
No Bug Bounty Program
Unless explicitly stated otherwise in writing, jmoorewv.com does not operate a paid bug bounty program.
Submitting a security report does not create an obligation for payment, reward, employment, contract work, public recognition, or any other compensation.
Report Review
I will make a reasonable effort to review valid security reports and determine whether the reported issue affects a website, system, service, or application that I own or operate.
Some reports may be rejected if they are inaccurate, unverifiable, duplicate, out of scope, low impact, caused by expected behavior, related to third-party systems, or based on automated scan results without a clear security impact.
Out-of-Scope Issues
Some issues may be considered out of scope, including reports about missing optional security headers, outdated version banners with no demonstrated impact, theoretical vulnerabilities, clickjacking on pages with no sensitive action, rate limiting concerns with no practical abuse case, SPF or DMARC suggestions without a clear exploit path, and reports generated only by automated tools without manual verification.
Third-party services, embedded content, browser extensions, user devices, internet service providers, hosting provider infrastructure, payment processors, domain registrars, email providers, and external websites are outside the scope of this policy unless I specifically state otherwise.
Public Disclosure
Please do not publicly disclose any vulnerability details until the issue has been reviewed and resolved, or until I have provided written permission for disclosure.
Public disclosure without permission may put users, systems, data, or services at risk and may be treated as a violation of this policy.
Safe Harbor
If you comply with this policy, act in good faith, avoid harm, protect privacy, and report security issues responsibly, I will not pursue legal action against you for the limited security research activity described in this policy.
This safe harbor does not apply to activity that is illegal, harmful, destructive, abusive, deceptive, extortionate, privacy-invasive, or outside the scope of this policy.
Changes to This Policy
This Security Disclosure Policy may be updated from time to time. Any changes will be posted on this page with an updated effective date.
Effective Date: May 15, 2026