BigMike.help welcomes responsible vulnerability disclosure. Security researchers, customers, and curious engineers help us keep infrastructure safe, and we want the process to be transparent and predictable.

How to report a vulnerability

1. Email security@bigmike.help with a detailed description of the issue. Attach logs, HTTP requests, and business impact if available.
2. Prefer encrypted reports using our PGP key.
3. If email is unavailable, use the contact form and mention that it is a security issue.

We acknowledge valid reports as quickly as possible (usually within 48 hours). During investigation we will keep you informed and let you know when mitigation is deployed.

Scope and expectations

• Only test against assets belonging to BigMike.help (domains ending with bigmike.help).
• Avoid accessing customer data, creating denial of service conditions, or degrading production systems.
• Do not publicly disclose vulnerabilities before we confirm the fix.
• Provide reproducible steps and, when possible, a working proof of concept.

Response timeline

• Triage: 1–3 business days to validate the report and evaluate risk.
• Fix: depends on severity; high-risk issues are addressed within 30 days.
• Acknowledgment: after deployment we will coordinate with you on publishing details and credit.

Recognition

Contributors who follow this policy and provide actionable reports are invited to the Security Hall of Fame. With your permission we will list your preferred name, a short description of the resolved issue, and a link to your site or profile.

Thank you for helping protect the BigMike.help community.