Skip to main content
Matt Palmer
Security

Responsible disclosure

I welcome reports of security vulnerabilities affecting mattpalmer.net. This is a personal site — please apply common sense: minimum scope, no high-rate automated scanning, no denial-of-service, and no data exfiltration beyond what's needed to demonstrate the issue.

Scope

  • mattpalmer.net and its subdomains.
  • Out of scope — third-party services this site depends on (Supabase, Railway, Cloudflare, FeedBurner). Please report findings against those directly to the relevant provider's disclosure programme.

How to report

Send a brief note via the contact form. Helpful contents:

  • A clear summary of the issue and where to reproduce it.
  • Steps to reproduce (URLs, requests, payloads).
  • Impact — what could a malicious party do?
  • Suggested mitigation if you have one.

The same channel is published in /.well-known/security.txt (opens in new tab) per RFC 9116.

What to expect

  • Acknowledgement within a reasonable period (typically a few days; longer over holidays).
  • Best-effort fixing, with timeline matched to impact.
  • Coordinated disclosure — please wait for a fix to deploy before public discussion.

Safe harbour

Good-faith research that follows this policy will not be pursued. That means: don't attempt to access another person's data, don't degrade service for other visitors, and don't exfiltrate more than the minimum needed to demonstrate the issue. If you're unsure whether something is in scope, ask first.

Thank you.