// Responsible disclosure
Responsible disclosure / Coordinated Vulnerability Disclosure
Security researchers and reporters are welcome. This page describes how to responsibly report potential vulnerabilities in the public web presence of skopion.de.
Contact
Report to [email protected], preferably PGP-encrypted. Key and contact channels: see /pgp and security.txt (RFC 9116).
Scope
In scope: the public web presence skopion.de. Out of scope: third-party services and infrastructure not attributable to SKOPION.
Rules
- No DoS/DDoS testing
- No social engineering
- No exfiltration, modification or deletion of data
- No persistence and no lateral movement
- No spam and no automated mass queries that disrupt operations
- No physical attacks.
A good report includes
- Affected URL or endpoint
- Reproduction steps
- Assessment of impact and severity
- Evidence (screenshots, logs, request/response)
- Whether automated tools were used.
Classification of reports
Security concerns without reproducible evidence, an affected endpoint and impact are treated as informational feedback, not as confirmed vulnerabilities. Generic missing-header reports without demonstrated exploitability do not qualify as a vulnerability.
Process
We acknowledge receipt, assess the report and keep you informed of the status. We ask for reasonable time to remediate before any disclosure.
There is no entitlement to compensation or reward.