Security Policy
Last Updated: March 19, 2026
I take the security of this website and the data it handles seriously. If you discover a vulnerability, I want to hear about it so I can fix it quickly and protect the people who use this site.
This policy describes what systems are in scope, how to report a finding, what to expect from me after you do, and the legal protections I offer to researchers who follow these guidelines.
This policy complies with RFC 9116. The machine-readable version lives at /.well-known/security.txt.
Scope
The following systems and assets are in scope for security research under this policy:
Primary website
digitalmarketingservices.proand all pages served from it- Client-side JavaScript, CSS, and static assets
- The contact form and its server-side form handler
Client intake system
- Intake questionnaire forms and their associated admin views
Server infrastructure
- The hosting environment serving this site
- Server configurations, file permissions, and access controls
Third-party integrations
- CDN configuration and security rules
- Embedded third-party widgets and analytics scripts
- Any API endpoints or webhooks connected to the site
If you are unsure whether a particular system falls within scope, ask first. Email me at [email protected] before testing.
Qualifying vulnerabilities
I am interested in reports covering (but not limited to):
- Injection flaws: SQL injection, cross-site scripting (XSS), command injection, template injection
- Authentication and authorization issues: bypasses, privilege escalation, broken access controls
- Sensitive data exposure: unprotected credentials, API keys, personal data leaks
- Cross-site request forgery (CSRF): actions performed without user consent
- Security misconfigurations: exposed admin panels, directory listings, debug endpoints, permissive CORS
- Insecure file handling: unrestricted uploads, path traversal, local file inclusion
- Cryptographic weaknesses: weak TLS configurations, insecure cookie flags, missing HSTS
What does not qualify
The following are generally not considered valid findings unless you can demonstrate a concrete, exploitable impact:
- Outdated software versions without a working proof-of-concept exploit
- Missing HTTP security headers with no demonstrated attack scenario
- Clickjacking on pages that contain no state-changing actions
- Self-XSS (requires the victim to paste code into their own browser)
- Rate limiting or brute-force issues on non-authentication endpoints
- SPF, DKIM, or DMARC configuration opinions without a demonstrated spoofing attack
- Content injection through user-controlled URL parameters that only the attacker sees
- Automated scanner output without manual verification or context
How to report
Send your report to: [email protected]
Use the subject line: [Security Report] Brief description of the issue
A good report includes:
- Description of the vulnerability and its potential impact
- Steps to reproduce, detailed enough that I can follow them
- Affected URL or endpoint where the issue exists
- Your severity estimate (Critical, Medium, or Low, using the definitions below)
- Screenshots or proof-of-concept if applicable
- Your preferred contact method for follow-up
Please do not include actual exploited data, malware samples, or anything that could cause harm if intercepted in transit. If you need to share sensitive details, mention that in your initial email and I will arrange a secure channel.
Severity classification
I use a simple three-tier system to prioritize remediation:
Critical
Vulnerabilities that allow unauthorized access to systems, data, or user accounts with minimal effort. These represent an immediate threat.
Examples: Remote code execution, SQL injection in the form handler, authentication bypass on intake forms, exposed database credentials, server-side request forgery with internal network access.
Remediation target: Within 120 calendar days.
Medium
Vulnerabilities that require user interaction or specific conditions to exploit, but could still cause meaningful harm.
Examples: Stored or reflected XSS, CSRF on state-changing actions, information disclosure of non-public data, insecure direct object references, open redirects usable in phishing chains.
Remediation target: Within 150 calendar days.
Low
Minor issues that have limited direct impact or require unlikely conditions to exploit.
Examples: Missing security headers with no demonstrated attack path, verbose error messages revealing stack traces, minor misconfigurations, information leaks of non-sensitive data.
Remediation target: Best-effort basis, prioritized alongside other work.
Response timeline
After you submit a report, here is what to expect:
| Stage | Timeframe |
|---|---|
| Acknowledgment | Within 5 business days. I will confirm I received your report and provide a reference identifier. |
| Triage | Within 10 business days. I will assess the severity, confirm whether it qualifies, and share my initial evaluation with you. |
| Remediation (Critical) | Target: 120 calendar days from confirmation. |
| Remediation (Medium) | Target: 150 calendar days from confirmation. |
| Remediation (Low) | Best-effort, no fixed deadline. |
| Notification | I will notify you when the fix is deployed. |
I run a small operation. If I expect delays beyond these targets, I will tell you and explain why. Transparency goes both ways.
Coordinated disclosure
I follow a coordinated disclosure model:
- Do not disclose publicly until I confirm the vulnerability has been fixed, or 120 calendar days have passed since your initial report, whichever comes first.
- After the 120-day window, you are free to publish your findings regardless of whether a fix has been deployed. I may request an extension for complex issues, but the decision to grant it is yours.
- I will keep you informed of remediation progress throughout the process.
- Once fixed, I will credit you on the Security Acknowledgments page (unless you prefer to remain anonymous).
Prohibited activities
The following activities are not authorized under this policy, regardless of intent:
Social engineering. Do not phish, pretext, impersonate, or otherwise manipulate me, my clients, or any person associated with this business. Testing should be limited to technical systems.
Denial of service. Do not perform load testing, traffic flooding, resource exhaustion, or any action intended to degrade or disrupt service availability.
Physical attacks. Do not attempt to access physical servers, offices, data centers, or hardware.
Data exfiltration. If a vulnerability gives you access to real user or client data, stop immediately. Do not access, copy, download, or store that data. Report the vulnerability with enough detail to reproduce it, but leave the data untouched. This is the single most important rule in this policy.
Violating any of these prohibitions voids the safe harbor protections described below.
Safe harbor
I want security researchers to feel safe reporting vulnerabilities to me. To that end:
I will not pursue legal action against anyone who reports a security vulnerability in good faith, provided they:
- Act within the scope defined in this policy
- Do not access, modify, or destroy data belonging to others
- Do not disrupt the availability of any system
- Follow the coordinated disclosure rules above
- Comply with all prohibited activity restrictions
This safe harbor applies to claims under the Computer Fraud and Abuse Act (CFAA), the Colorado Computer Crime statute (C.R.S. 18-5.5-102), and any equivalent state or federal laws.
If a third party (such as a hosting provider or CDN) initiates action against you for activities covered by this policy, I will take reasonable steps to make it known that your research was authorized under these terms.
In short: Follow this policy in good faith, and I will treat you as a partner, not a threat.
Recognition
Valid vulnerability reports earn recognition on the Security Acknowledgments page. Each entry includes:
- Your name or handle (with an optional link to your website or profile)
- The month and year of disclosure
- A brief summary of the finding
- The severity tier
If you prefer to remain anonymous, let me know in your report and I will respect that.
No monetary bounty is offered at this time. I appreciate your contribution to keeping this site and its users safe.
Report data handling
Vulnerability reports are received via email and stored in a private inbox. I retain the following information for the duration of the remediation process and for up to 12 months after resolution:
- Your name or handle and contact email
- The vulnerability description, reproduction steps, and any attachments
- Communication history related to the report
After 12 months, report details are archived or deleted. If you would like your personal data removed sooner, email me and I will accommodate that request within 10 business days.
I do not share report details or researcher contact information with third parties, except as necessary to remediate the vulnerability (for example, notifying a hosting provider about a server-level issue).
Changes to this policy
I may update this policy from time to time. Substantive changes will be reflected in the “Last Updated” date at the top of this page. The current version always lives at /security-policy/ and is referenced from /.well-known/security.txt.
Governing law
This policy is governed by the laws of the State of Colorado, United States. The entity responsible is Kreaktive LLC, doing business as Digital Marketing Services, located in Colorado Springs, Colorado.
Contact
For security reports: [email protected]
For general inquiries: Contact page
Machine-readable security contact info: /.well-known/security.txt