Vulnerability Disclosure Policy

Last updated: March 2026

Silent Security.net takes the security of our website and infrastructure seriously. We welcome and appreciate responsible disclosure from security researchers who help us keep our visitors safe.

Scope

This policy applies to vulnerabilities found on:

  • www.silentsecurity.net and all subdomains
  • Web applications, APIs, and services hosted under our domain

How to Report a Vulnerability

If you believe you've found a security vulnerability, please report it through one of these channels:

What to Include

  • A description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URL(s) or components
  • Screenshots or proof-of-concept (if applicable)
  • Your preferred contact information for follow-up

Our Commitment

  • Acknowledgment: We will acknowledge receipt of your report within 48 hours
  • Assessment: We will investigate and validate the reported vulnerability promptly
  • Updates: We will keep you informed of our progress toward resolution
  • Credit: With your permission, we will publicly credit you for valid reports
  • No retaliation: We will not pursue legal action against researchers who follow this policy

Responsible Disclosure Guidelines

We ask that researchers:

  • Give us reasonable time to investigate and address the issue before public disclosure (minimum 90 days)
  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not perform denial-of-service attacks or disrupt our services
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Do not use social engineering or phishing against our staff or visitors
  • Do not test against accounts you do not own

Out of Scope

The following are generally not considered valid vulnerabilities for this policy:

  • Clickjacking on pages with no sensitive actions
  • Missing HTTP security headers that do not lead to exploitable vulnerabilities
  • SPF/DKIM/DMARC misconfiguration without demonstrated exploit
  • Content spoofing or text injection without demonstrated impact
  • Rate limiting issues on non-authentication endpoints
  • Vulnerabilities in third-party services or libraries (report these to the vendor directly)

security.txt

Our machine-readable security contact information is available at /.well-known/security.txt, following the RFC 9116 standard.

Privacy Policy → Contact Us → About Us →