Skip to content
Hostphyl Policy Center

Responsible Disclosure Policy

Scope

This policy applies to security vulnerabilities discovered in:

  • Hostphyl.com and all associated subdomains
  • Hostphyl-operated API endpoints
  • Any other Hostphyl-owned web properties
  • All client websites hosted and managed by Hostphyl

Hostphyl acts as the primary point of contact for all security-related matters concerning our client websites as well as our own site and web properties. Hostphyl designs, builds and hosts for many clients and businesses. As such, we manage the entire vulnerability disclosure process on behalf of our clients, ensuring proper communication and coordination between security researchers and affected clients as necessary.

Disclosure Guidelines

Rules of Engagement

For client websites: Hostphyl coordinates all security testing with our clients. When testing client websites:

  • Hostphyl will obtain necessary permissions and authorizations from clients
  • Clients will be informed of ongoing security assessments if applicable
  • Testing schedules may be adjusted based on client business requirements
  • Critical findings affecting client data will be expedited to both Hostphyl and the affected client

Security researchers must:

  • Test only against test accounts you own or have explicit permission to test
  • Not disclose vulnerability details to others until Hostphyl has resolved the issue
  • Not access, modify, or delete data belonging to other users
  • Not impact service availability or degrade system performance
  • Immediately stop testing and notify us if you encounter sensitive data

Explicitly forbidden actions:

  • Denial of Service (DoS/DDoS) attacks, or any attack designed to interrupt or degrade services
  • Social engineering or phishing attempts against Hostphyl employees or clients
  • Physical security testing of offices, data centers, or any other property belonging to Hostphyl or its clients.
  • Testing of third-party applications, websites, or services that integrate with Hostphyl or client websites.
  • Automated scanning without prior notification and approval

You may only perform explicitly forbidden actions if you have explicit written approval and permission from Hostphyl.

Reporting Requirements

Your report should include:

  • Detailed description of the vulnerability
  • Step-by-step reproduction instructions
  • Proof of concept code (if applicable)
  • Impact assessment
  • Suggested mitigation or fix (optional)

Communication Protocol

  • All vulnerabilities must be reported to [email protected]
  • Initial response will be provided within 24 hours
  • Status updates will be provided every 72 hours until resolution

Resolution Process

  1. Acknowledgment: We will confirm receipt within 24 hours
  2. Assessment: Initial severity assessment within 72 hours
  3. Client Coordination (if applicable):
    • Notify affected clients of the vulnerability
    • Coordinate resolution timeline based on client impact
    • Keep clients informed of progress
  4. Resolution:
    • Critical issues: Fix within 7 days
    • High severity: Fix within 14 days
    • Medium/Low severity: Fix within 30 days
  5. Verification: Researchers may be asked to verify the fix
  6. Client Verification (if applicable): Affected clients confirm fix effectiveness
  7. Public disclosure: Coordinated after fix implementation and client approval

Compensation and Recognition

  • All vulnerability reports must be provided without expectation of compensation
  • The use of security tools or vulnerability testing for soliciting services or “beg bounties”, or purposly witholding information in exchange for finacial compensation is prohibited (Troy Hunt is awesome BTW)
  • Hostphyl does not operate a paid bug bounty program at this time
  • Researchers may receive:
    • Public acknowledgment (with permission)
    • Letter of appreciation
    • Recognition in our security hall of fame (with permission) (coming soon!)

Legal Safe Harbor

Security researchers who:

  • Comply with this policy
  • Make good faith efforts to avoid privacy violations, destruction of data, and interruption or degradation of services
  • Only interact with test accounts they own or have permission to use

Will receive:

  • No legal action related to the research
  • No law enforcement report
  • No professional or contractual retaliation

Our Commitment

Hostphyl commits to:

  • Working with researchers to understand and resolve reported issues
  • Maintaining transparent communication throughout the process
  • Not pursuing legal action against researchers acting in good faith
  • Address vulnerabilities in a timely manner
  • Provide public recognition when desired and appropriate
  • Maintain professionalism, humility, and grace in all interactions
  • Take ownership of mistakes and errors as part of our commitment to security

Contact

For questions about this policy or to report a vulnerability: