[DISCLOSURE_POLICY]

About

I'm awhacken, an independent security researcher based in Montreal, Canada. I conduct vulnerability research on web applications and APIs as part of authorized bug bounty programs and occasional ad-hoc responsible disclosures when I discover security issues affecting real users.

This page describes how I handle disclosures, what you can expect when I contact your team, and how to verify communications from me.

Scope of my research

• •I focus on web application and API security
• •I only test systems where I have authorization (bug bounty scope, public programs, or my own infrastructure)
• •For ad-hoc disclosures (services without a formal program), I limit testing to the minimum required to confirm and document a vulnerability
• •I do not access, copy, exfiltrate, or retain real user data beyond what is strictly necessary to demonstrate impact

How I disclose

When I identify a vulnerability outside of a formal bug bounty program, my process is:

1. Stop testing immediately once the issue is confirmed
2. Document minimally — only what's needed to reproduce and assess impact
3. Contact the affected organization privately through their security contact, security.txt, or a senior security/engineering contact
4. Provide technical details over an encrypted channel (Signal, or the channel of your choice)
5. Coordinate a remediation timeline — my default is 90 days from the date of fix to public disclosure, adjustable based on complexity
6. Public disclosure only after remediation, and only with details that do not put users at residual risk

What you can expect from me

• •Clear, professional communication
• •A reproducible proof of concept
• •A reasonable, flexible disclosure timeline
• •Confidentiality regarding the vulnerability until remediation is complete
• •No public discussion of the issue without coordination
• •No demands, threats, or pressure tactics — disclosure is collaborative

What I ask in return

• •Acknowledgment of receipt within a reasonable timeframe (typically 5 business days)
• •Good-faith engagement on remediation
• •Permission to publish a sanitized writeup after the fix is deployed and affected users have been notified (where applicable)
• •Optional: credit in your security acknowledgments / hall of fame

What I do NOT do

• ✗Access or download user data beyond the minimum needed to demonstrate impact
• ✗Sell, share, or publish vulnerability details before remediation
• ✗Use vulnerabilities for personal gain, extortion, or any malicious purpose
• ✗Test denial-of-service, social engineering, or physical attacks
• ✗Engage with vulnerabilities that require credentials I don't legitimately have

Contact

• •Email: disclosure@thebughunter.blog
• •security.txt: https://thebughunter.blog/.well-known/security.txt

Verifying communications from me

If you receive a message claiming to be from me regarding a security issue:

• •It will come from an @thebughunter.blog address
• •It will reference this disclosure policy
• •I will never demand payment, request credentials, or pressure for urgent action outside a coordinated remediation timeline

If something feels off, verify by emailing disclosure@thebughunter.blog directly.