JustAppSec

Responsible disclosure

JustAppSec is not asking people to spend any money or effort on finding vulnerabilities for our assets. We are a small start-up and do not offer monetary rewards at the moment. This may change in the future, and we will update our guidelines and hall of fame accordingly if needed, but for now we want to be very clear that we do not operate a paid bug bounty program, and we will not reward any reports with monetary compensation.

To be absolutely clear: do not complain to us that you found something and we won't pay you. We are not asking you to spend any effort on this; if you do so voluntarily and find something, that's completely up to you. We appreciate the time and skill security researchers invest in bounty hunting, and as soon as we are in a position to run a paid program we will, but we are not doing that now. We do want to hear about potential issues if you find them though. Please report any security concerns to us using the contact information below.

Report a vulnerability

[email protected]

Please include a clear description, steps to reproduce, impact assessment, and any proof of concept needed to validate the issue.

Guidelines

  • Avoid automated scanning or stress testing.
  • Limit testing to your own accounts and data.
  • Avoid privacy-invasive actions, service disruption, or data modification.
  • See our security.txt for scope details.

Scope

In scope: public-facing JustAppSec web properties on the justappsec.com and justappsec.co.uk domains. If you are unsure whether something is in scope, email us first.

Legal

We welcome good-faith security research that helps keep our users safe. If you follow these guidelines, act in good faith, and avoid harm, we do not intend to pursue legal action or request law enforcement investigation. This policy does not grant authorization to access, test, or attempt to compromise any system. Any testing is at your own risk and must comply with all applicable laws. We reserve all rights to take action, including civil or criminal remedies, for malicious activity, misuse, or actions that exceed or violate these guidelines. Nothing in this policy waives or limits any legal rights or remedies available to JustAppSec.

Hall of fame

We plan to acknowledge helpful reports here, and if they are interesting we may even publish a link to a write up of the finding here as well (no guarantees). The entry below is a placeholder as we've not recieved any reports yet, but we wanted to show how this will look once we do.

Taylor Morgan (Placeholder)

Independent Security Researcher - placeholder entry

WebsiteXGitHubLinkedIn

Taylor found an unverified cleartext secret that was accidentally committed to our public code repository. The secret was not valid and did not lead to any sensitive data, but it was still a good find and we wanted to acknowledge it here as an example of the type of report we are looking for. We appreciate Taylor's effort in responsibly disclosing this issue to us.