Security Policy

Please send details to security@blacksandforensics.com with the subject line "Security Vulnerability Report".

For sensitive reports, PGP encryption is available. Our public key is available at blacksandforensics.com/blacksandforensics-pgp-public-key.asc.

We commit to acknowledging receipt of your vulnerability report within 48 hours and will work with you to understand and resolve the issue promptly.

To help us understand and address the vulnerability effectively, please include:

• A clear description of the vulnerability
• Detailed steps to reproduce the issue
• The potential impact of the vulnerability
• Any proof-of-concept code or screenshots (if applicable)
• Your suggestions for remediation (optional)
• Your preferred contact method for follow-up

This security policy applies to:

• blacksandforensics.com and all subdomains
• Our web applications and services
• Our public-facing infrastructure

To ensure responsible disclosure, we ask that you:

• Provide us reasonable time to investigate and address the issue before public disclosure
• Do not access, modify, or delete data belonging to others
• Do not perform actions that could harm the reliability or integrity of our services
• Do not use social engineering, phishing, or physical attacks against our employees or infrastructure
• Act in good faith and avoid privacy violations, data destruction, and service interruption

The following are generally considered out of scope:

• Denial of Service (DoS/DDoS) attacks
• Social engineering attacks against our staff
• Reports from automated tools without validation
• Issues affecting outdated browsers or platforms
• Missing security headers with no demonstrated impact

When you report a security vulnerability to us, we commit to:

• Acknowledge receipt of your report within 48 hours
• Provide an estimated timeline for addressing the issue
• Keep you informed of our progress
• Credit you for the discovery (if desired) once the issue is resolved
• Handle your report with strict confidentiality