Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

Report a Security Bug

The act of revealing a vulnerability in any code that I have written is a personal choice; as is the manner in which you go about it. If you already have a process you feel comfortable with (full vs coordinated disclosure), go with that. If you are new to disclosing vulnerabilities, please read on.

In my opinion, if you find a security bug in any of the software or services I develop, these bugs should be released via Full Disclosure.

Some ways to fully disclose a security vulnerability:

I promise to never pursue the prosecution of anyone for exploiting any of my systems in order to verify the exploitability of a security bug, because the Computer Fraud and Abuse Act is horse-shit that no sane person would enforce.

The above promise does not extend to the users of my systems or any of their sensitive information; only to the systems I control, the software I write, and myself.

Inspired by BugCrowd's Disclosure Policy repository and Defuse Security.

Edge Cases

If you really insist on not practicing full disclosure, I suppose you could just email it to me. Though if you do, I'm just going to publish it as soon as I resolve it.


Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.