Responsible Disclosure Policy

Last updated: November 29, 2025

At Stonegate Security, protecting the websites and online systems we manage is a top priority. We take security seriously, and we deeply appreciate researchers, developers, and everyday users who help keep the internet safer.

This Responsible Disclosure Policy explains how to report potential security issues to us and what you can expect in return. Our goal is to create a safe, respectful, and efficient process for handling vulnerability reports.

Our Commitment to You

If you make a good-faith effort to report a security issue:

• We will not pursue legal action related to your report.
• We will work with you to understand and validate the issue.
• We will respond promptly, typically within 72 hours.
• We will keep you updated as we investigate and fix the issue.
• We will credit you (privately or publicly) upon request, once a fix is deployed.

Coordinated disclosure strengthens the entire community and helps keep our clients safe.

How to Report a Security Issue

If you believe you’ve discovered a security vulnerability affecting Stonegate Security or one of our client sites, please contact us:

• Email: [email protected]
• Web: https://stonegatewebsecurity.com/contact/

Please include:

1. A clear description of the issue
2. Steps to reproduce it
3. Any proof-of-concept code or screenshots
4. The affected domain or system
5. Your contact information (if you want credit)

We ask that you avoid publicly disclosing vulnerabilities until we’ve had reasonable time to investigate and remediate the issue.

Good-Faith Testing Guidelines

To keep the process safe for everyone, please:

• Do not access, modify, or delete data that does not belong to you.
• Do not perform actions that degrade performance or availability.
• Do not run high-volume automated scans that could impact service.
• Do not attempt social engineering, phishing, or physical compromise.
• Do not submit reports for purely theoretical issues without evidence.
• Do not attempt to access accounts without permission.

You may perform non-destructive, good-faith research, including:

• Testing for common web vulnerabilities
• Examining HTTP headers, SSL/TLS, and server configuration
• Checking for outdated scripts or exposed files
• Validating security-related metadata (for example, security.txt)

Out of Scope

The following issues are generally outside the scope of this policy:

• SPF/DMARC record suggestions
• Missing DNSSEC
• Brute-force rate-limit tests
• Content, copy, or SEO-related findings
• Reports generated solely from automated tools without verification
• Social media or third-party platform bugs
• Physical security issues
• UI/UX bugs without a clear security impact

If you are unsure whether something is in scope, reach out anyway — we’re happy to clarify.

Safe Harbor

We support safe-harbor protections for security researchers who follow this policy.

If you act in good faith and follow the guidelines above, Stonegate Security will:

• Consider your actions authorized for the purpose of this research
• Not pursue legal action against you for your report
• View your research as a contribution to security, not an attack

This policy does not grant permission to access client systems without authorization, but it does protect legitimate research efforts intended to help.

Thank You

We’re genuinely grateful for every researcher, tester, and engineer who helps make the web safer. Your work makes a real difference not only for us, but for the businesses and organizations we protect.

Thank you for helping keep Stonegate — and the Lehigh Valley community — secure.