Friday, May 1, 2026 Ocala, FL
2026 Law Primer Corrections About Subscribe Free

Vulnerability Disclosure Policy

By Andy West Ocala, FL 2 min read

This policy covers centralfloridaadu.com and its subdomains. The operator welcomes reports from security researchers and treats all good-faith reports seriously.

Scope

In scope: centralfloridaadu.com and any subdomain operated by this site, except where explicitly excluded.

Out of scope

  • Denial-of-service attacks of any kind, including resource-exhaustion testing
  • Social engineering of operators, contractors, or third parties
  • Physical attacks against infrastructure
  • Reports from automated scanners without manual validation and reproducible impact
  • Third-party services we depend on but do not control (Cloudflare, GitHub, Porkbun, Proton). Report those upstream.
  • Vulnerabilities in unmodified upstream dependencies — report upstream and notify us if relevant
  • Issues requiring a privileged position on the local network or the victim’s device
  • Missing security headers without demonstrated impact
  • Reports based solely on tool output without exploitation evidence

How to report

Email: security@centralfloridaadu.com

For sensitive details, encrypt your report using our PGP key: https://presspause.dev/.well-known/openpgpkey/security.asc

Please include:

  • A clear description of the vulnerability and its impact
  • Steps to reproduce, including any required preconditions
  • The affected URL, endpoint, or component
  • Your name or handle if you would like acknowledgment

Reports may be submitted in English or Spanish.

What to expect

This site is operated by a small team. Response times are best-effort, not contractual:

  • Acknowledgment of receipt: within 5 business days
  • Initial triage: within 14 business days
  • Resolution: depends on severity and complexity

We do not currently offer monetary bug bounties. We do offer public acknowledgment with your consent.

Coordinated disclosure

We follow a coordinated disclosure model. Please give us 90 days from initial report before public disclosure as a default. We are happy to negotiate this window in either direction based on severity, complexity, and exploitation evidence.

If we have not responded to a confirmed report within 30 days, you may escalate by re-sending with “ESCALATION” in the subject line.

Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, destruction of data, and degradation of service
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate impact
  • Do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them
  • Report findings only to us through the channels described above

This safe harbor applies only to actions covered by this policy and does not authorize activity inconsistent with applicable law.

Updates

Last updated April 30, 2026. Material changes will be published here, and the Expires field on our security.txt will be refreshed annually.