Security Policy
The one page on this site with no jokes on it. How to report a security issue, and what happens when you do.
Reporting a Vulnerability
If you discover a security vulnerability in friedstuffwithcheese.com, please report it promptly. This site is operated by 37SOLUTIONS; email your report to security@37solutions.com. Include as much detail as possible: the affected URL, a description of the issue, and steps to reproduce it if applicable.
We cannot respond to vague or non-specific reports. Initial emails must include at least a high-level technical description of the issue and its potential impact so we can assess severity.
What to Expect
- We will acknowledge receipt of your report within 3 business days.
- We will investigate and keep you informed of our progress.
- We will notify you when the issue has been resolved.
- We will not take legal action against researchers who report issues in good faith and follow this policy.
- All coordination is handled asynchronously via email. We do not hold calls or meetings as part of this process.
No Bug Bounty
We do not operate a bug bounty program and do not offer monetary rewards or paid engagements in response to unsolicited vulnerability reports. Submitting a report under this policy does not create any obligation for compensation or future work.
Out of Scope
- Denial of service attacks or any testing that degrades service availability
- Social engineering or phishing attacks targeting our staff
- Automated scanning that generates excessive traffic
Not Acceptable
The following will result in no response:
- Reports that require a phone call, video meeting, NDA, or purchase of a product or service before sharing technical details. If your process requires a call or a demo to disclose the issue, we will not engage.
- Unsolicited sales pitches or tool demonstrations framed as security reports.
Disclosure
We ask that you give us reasonable time to investigate and address a vulnerability before any public disclosure. We are happy to coordinate disclosure timing and will credit researchers who report valid issues if they wish. This policy is referenced in our security.txt file per RFC 9116.