Security Policy

Last updated: April 1, 2026

Who We Are

Reporting a Vulnerability

We take the security of our website seriously. If you believe you’ve found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, please report them via email to [email protected].

Please include the following information in your report:

  • Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit it

Encryption

For sensitive communications, we support PGP encryption. Our public key is available at https://jokinglybad.tech/pgp-key.txt.

Key Details:

  • Email: [email protected]
  • Type: RSA
  • Size: 4096 bits
  • Created: 2025-05-17
  • Fingerprint: (see verification steps below)

To encrypt your message:

  1. Download our public key
  2. Import it into your PGP client
  3. Encrypt your message using the key
  4. Send the encrypted message to [email protected]

Verifying our key: After downloading our key, you can verify its authenticity by running gpg --show-keys pgp-key.txt and confirming the fingerprint matches the one published in our GitHub profile and listed above.

Scope

This security policy applies to the following systems and services:

  • codybrunner.com
  • All associated subdomains
  • All associated APIs and services

Out of Scope

The following are considered out of scope for this policy:

  • Third-party services — Vulnerabilities in services we use but do not control (e.g., Umami) should be reported directly to those vendors
  • Findings from automated scanners without demonstrated, verified impact
  • Issues in upstream dependencies already covered by public advisories (e.g., CVEs)
  • Clickjacking on pages with no state-changing actions
  • Missing security headers without demonstrated exploitability
  • Missing best practices that do not directly lead to a vulnerability
  • Denial of service (DoS/DDoS) — Do not test for or attempt denial of service attacks
  • Social engineering or phishing of employees, contractors, or users

Researcher Guidelines

To be covered by our safe harbor commitment (see Legal Considerations below), security researchers must adhere to the following rules of engagement:

  1. Do not access, modify, or delete data belonging to other users. If you encounter another user’s data during testing, stop immediately and report the issue
  2. Do not degrade service availability. Avoid actions that could disrupt the site for other users, including denial of service testing, brute-force attacks, or excessive automated scanning
  3. Do not use social engineering, phishing, or physical attacks against our employees, contractors, or users
  4. Report vulnerabilities promptly. If you discover a vulnerability, report it as soon as reasonably possible
  5. Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (see Coordinated Disclosure below)
  6. Comply with all applicable laws. Good-faith security research conducted in accordance with this policy is authorized, but this policy does not override any applicable laws or regulations

What to Expect

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

Within 48 hours, we will make reasonable efforts to provide:

  • An acknowledgment of your report
  • An initial assessment of the report
  • An expected timeline for any required fixes

These timelines are best-effort commitments. During holidays, weekends, or periods of high volume, response times may be longer.

Coordinated Disclosure

We follow a coordinated disclosure model. We ask that researchers give us a minimum of 90 days from the initial acknowledgment of a report to address the vulnerability before making any public disclosure.

If we are unable to resolve the issue within 90 days, we will work with the reporter to agree on an appropriate disclosure timeline.

We may request an extension for particularly complex issues. We will always communicate openly about our progress and any delays.

Recognition

We believe in recognizing the valuable contributions of security researchers. If you are the first to report a unique vulnerability, and we make a code or configuration change based on the report, we will:

  1. Publicly credit you for the discovery (with your permission)
  2. Acknowledge your contribution on our website (with your permission)

This program does not offer monetary compensation. We are a small operation and do not currently run a paid bug bounty program. We appreciate the goodwill of the security community and will always credit researchers who help us improve.

Safe Harbor

JokinglyBadTech LLC considers security research conducted in accordance with this policy to be:

  • Authorized with respect to the Computer Fraud and Abuse Act (CFAA), and we will not initiate or support legal action against researchers for accidental, good-faith violations of this policy
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring claims against researchers for circumvention of security controls
  • Lawful, helpful, and conducted in the public interest

We will not pursue civil or criminal legal action, or support law enforcement action, against researchers who:

  • Act in good faith and in accordance with this policy
  • Follow the Researcher Guidelines outlined above
  • Report vulnerabilities promptly and avoid exploitation beyond what is necessary to demonstrate the issue
  • Do not intentionally access, modify, or exfiltrate data belonging to others
  • Do not knowingly cause harm to the availability of our services

This safe harbor applies to legal claims under our control (such as CFAA and DMCA claims), and does not bind independent third parties.

If at any point you are uncertain whether your conduct complies with this policy, please contact us at [email protected] before proceeding.

Good Faith

A security researcher is acting in “good faith” when they:

  • Make a genuine effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data
  • Only exploit a vulnerability to the extent necessary to confirm its existence
  • Do not use a vulnerability to access, download, or copy data beyond what is needed to demonstrate the issue
  • Cease testing and submit a report once a vulnerability is confirmed

Security Practices

Data Protection

  • This site minimizes personal data collection — see our Privacy Policy for details
  • No cookies are used for tracking
  • All traffic is served over HTTPS

Infrastructure

  • Hosted on Fly.io with automatic TLS
  • Regular security updates applied

Third-Party Services

  • Analytics: Umami (privacy-focused, GDPR compliant)

security.txt

We maintain a security.txt file in compliance with RFC 9116.

Limitation of Liability

This security policy is provided as a guideline and does not create any contractual obligation, warranty, or guarantee. Response timelines, recognition, and other commitments described in this policy are best-effort and may vary based on circumstances. JokinglyBadTech LLC reserves the right to make determinations regarding good faith and policy compliance on a case-by-case basis.

Updates to this Policy

We may update this security policy from time to time. The latest version will always be available at codybrunner.com/security-policy.