Hi!
So you've found a security issue in one of my products? That's great!

If this product is hosted on GitHub, please report a vulnerability via the security reporting functionality on the repository. If that is not possible, please continue through this guide and note this in your email, so I can remediate it.

My expectations:

1. You are not actively abusing this issue.
2. You will wait to publish any details until I have had the opportunity to remediate issues.
3. You will act in good faith.
4. You will avoid any activities that disrupt, degrade or interrupt my services or may compromise other user data. This includes things such as spam, brute forcing, DoS, etc.

If you believe you have found an issue, email it to security at skelmis.co.nz
At minimum, your email should contain the following:

• Affected service, and version if applicable
• Vulnerability description
• Reproduction steps. Without a valid exploitation context, I likely won't pursue reports

Upon receiving a report, I will:

• Act in good faith for all reports
• Aim to acknowledge any findings and keep you informed of any developments
• Aim to resolve confirm vulnerabilities within a reasonable period of time. The goal will be 90 days from confirmation, however this will vary by report

Scope

This disclosure process applies to the following things.

• *.skelmis.co.nz, skelmis.co.nz
• *.darkhaven.co.nz, darkhaven.co.nz
• *.koldfusion.xyz, koldfusion.xyz
• Any of the GitHub repos under the following accounts:
  • Skelmis
  • Suggestions Bot
  • Vigilant Fortnight

Note also that certain vulnerabilities are out of scope. This is things such as un-exploitable out of date JavaScript libraries, TLS misconfigurations, password policy best practices, etc.

Further, this page primarily exists for if you accidentally find something. I would prefer if you didn't actively attempt to exploit my digital presence.