Alec Jensen Development Security Policy

Alec Jensen Development takes the security and integrity of its applications, networks, and user data extremely seriously. This policy governs how we protect our Services and outlines the requirements for security researchers engaging in good-faith testing.

Scope and Covered Assets

This policy applies to all public-facing services, applications, APIs, and network infrastructure directly owned and operated by Alec Jensen Development. Assets are considered In Scope if they handle user data, facilitate user interaction, or process financial transactions. This includes, but is not limited to, those hosted under the domains alecj.com, alecj.tk, and 3ln.me.

Any assets not explicitly listed, or that are third-party services integrated but not directly managed by Alec Jensen Development (e.g., social media pages, external payment processors), are considered Out of Scope unless otherwise directed.

Vulnerability Reporting Process

We appreciate the efforts of security researchers in improving the security of our Services. Please follow these guidelines for responsible disclosure:

  • Method of Contact: Report the vulnerability using a contact method found on the Contact me page. Please use encrypted communication if available.
  • Required Details: Your report must be clear, detailed, and actionable, including:
    • A concise description of the vulnerability.
    • Detailed, repeatable steps to reproduce the issue (including any necessary tools or scripts).
    • The potential security impact and severity.
    • Any relevant proof-of-concept code, screenshots, or network traffic logs.
  • Non-Disclosure: Researchers must keep all details of the vulnerability confidential. Please avoid sharing information publicly on blogs, forums, or social media until we have confirmed the issue is resolved.

Response and Remediation Timelines

We strive to respond promptly to all reports that comply with this policy:

  • Acknowledgement: Within 5 business days of receipt.
  • Triage & Assessment: Within 14 business days to confirm validity and severity.
  • Fix & Mitigation: Targeted within 90 days. Remediation time is dependent on the complexity and severity of the vulnerability.

Guidelines for Authorized Testing

To qualify for Safe Harbor (non-prosecution), all research activities must strictly adhere to the following rules:

  • Only test against assets explicitly covered under the Scope section.
  • Respect the integrity and availability of the Services. Do not conduct Denial-of-Service (DoS), rate-limiting attacks, or any test that could degrade or disrupt production services.
  • Do not engage in testing that could violate user privacy, such as accessing, collecting, deleting, or altering data belonging to other users.
  • Absolutely no social engineering, phishing, or physical security attacks against any personnel or infrastructure.
  • Limit testing to the minimum necessary to prove the vulnerability's existence.

Safe Harbor

If you make a good faith effort to comply with this policy during your security research, we agree not to pursue legal action against you or ask law enforcement to investigate you. We consider activities conducted in accordance with this policy to be authorized.

General Exclusions (Out of Scope)

The following categories of vulnerabilities or testing activities are considered Out of Scope and typically do not qualify for recognition or remediation:

  • Denial-of-Service (DoS) and volumetric attacks.
  • Theoretical or Best-Practice Recommendations: Best-practice or security-hardening recommendations (e.g., missing security headers, missing DNS records) without a proven, demonstrable security impact that leads to a direct exploit.
  • Client-Side Issues: Issues requiring unverifiable user-agents, rooted devices, or outdated browser versions to exploit.
  • Vulnerabilities only exploitable through man-in-the-middle (MITM) attacks, unless the vulnerability allows a bypass of transport layer security (TLS).
  • Self-XSS: Cross-Site Scripting (XSS) that only affects the user and cannot be exploited by an attacker against other users.

Recognition

We are happy to credit researchers who responsibly report significant, valid, and previously unknown vulnerabilities. Recognition will be provided on our Acknowledgements page, with the researcher's permission.

Last updated: October 12, 2025