Responsible Disclosure
Last updated: 2026-06-01
Skirret Consulting, LLC welcomes reports of security vulnerabilities in this website and our public-facing services. We are a security firm, and we treat good-faith research with the respect it deserves. If you believe you have found a vulnerability, please tell us.
How to report
Email security@skirretconsulting.com with enough detail for us to reproduce and assess the issue. Helpful reports usually include:
- A clear description of the issue and its potential impact
- The affected URL, page, or component
- Steps to reproduce, with any proof-of-concept
- How we can reach you for follow-up
Our commitment
- We will acknowledge your report within five business days.
- We will keep you informed as we investigate and remediate.
- We will act in good faith and will not pursue legal action against researchers who follow this policy.
- With your permission, we are glad to credit you once the issue is resolved.
Guidelines for good-faith research
To stay within this policy, please:
- Avoid any action that degrades, disrupts, or denies service to others.
- Do not access, modify, or destroy data that is not yours, and do not exfiltrate data. Use only the minimum access needed to demonstrate the issue.
- Do not use social engineering, phishing, or physical attacks against our people or facilities.
- Give us a reasonable amount of time to remediate before any public disclosure, and coordinate timing with us.
Out of scope
- Systems, data, or environments belonging to our clients. This policy covers only assets owned and operated by Skirret Consulting, LLC.
- Third-party services we use (for example, the form handler or hosting provider). Please report those to the respective provider.
- Findings limited to missing best-practice headers or configurations with no demonstrable security impact.
- Volumetric, denial-of-service, or automated scanning that generates excessive traffic.
No bug bounty
We do not currently run a paid bug-bounty program. Reports are handled on a good-faith basis, and we are happy to offer public recognition where appropriate.
Machine-readable policy
A security.txt file describing how to reach us is published at
/.well-known/security.txt.
