Security

Responsible Disclosure

Last updated: 19 April 2026 · security.txt

Secure IT Technologies takes the security of our own infrastructure seriously — as you'd expect. If you have discovered a vulnerability in the Site or any asset listed below, we want to hear about it. This page describes how to report it safely and what you can expect from us in return.

1. In-scope assets

  • secure-it.tech
  • www.secure-it.tech
  • *.secure-it.tech (subdomains we operate)
  • secure-it-tech.pages.dev (Cloudflare Pages deployment)
  • Source code of the Site when publicly available

2. Out of scope

The following are out of scope and should not be tested:

  • Denial-of-service (DoS / DDoS) attacks, rate-limit flooding, or resource exhaustion.
  • Physical attacks against our offices or personnel.
  • Social engineering of our staff, clients, or contractors (phishing, vishing, pretext calls, recruiter impersonation, etc.).
  • Automated scans generating excessive traffic.
  • Vulnerabilities in third-party services we rely on (Cloudflare, Microsoft 365, Google Fonts, Web3Forms, etc.) — please report those directly to the vendor.
  • Self-XSS, reports requiring physical access to a victim's device, or issues with no practical security impact.
  • Outdated TLS configurations on third-party infrastructure we don't control.

3. Rules of engagement

To qualify for safe harbour (section 5), please:

  • Act in good faith, with the sole intent of improving our security.
  • Test only on accounts and data that belong to you. Do not access, modify, or exfiltrate any other user's data.
  • Do not publicly disclose a vulnerability before we confirm it is fixed — or 90 days after your report, whichever is earlier.
  • Do not degrade the availability, integrity, or performance of our services.
  • Do not extract more data than necessary to demonstrate impact. One record is enough.
  • Respect local law and international norms.

4. How to report

Send your report to security@secure-it.tech. Please include:

  • A clear description of the issue and the affected asset / URL.
  • Steps to reproduce, with screenshots or a short video if it helps.
  • Your assessment of impact and severity (CVSS optional).
  • Any proof-of-concept payload or script you used.
  • Whether you wish to be acknowledged publicly once fixed, and under what name.

PGP-encrypted reports are welcome. Request our current public key by email.

5. Our commitment (safe harbour)

When you act within these rules, Secure IT Technologies will:

  • Acknowledge receipt of your report within 2 business days.
  • Provide a triage assessment within 5 business days.
  • Keep you updated as we investigate, remediate, and verify the fix.
  • Not pursue legal action against you for good-faith research that stays within scope and these rules, nor refer the matter to law enforcement.
  • Credit you publicly, with your permission, once the issue is resolved.

6. Rewards

We do not currently run a paid bug-bounty programme. We offer our sincere thanks, a published acknowledgement, and — for high-impact reports — a Secure IT Technologies swag pack. As our operation grows we may introduce monetary rewards; if and when that happens, we will update this page.

7. Hall of fame

A list of researchers who have helped us strengthen our security.

Machine-readable version: /.well-known/security.txt (RFC 9116).