Security Policy - Marc Houben Web Development

Last Updated: October 27, 2025
Version: 2.0
Contact: security@marchouben.nl

## 🔒 Responsible Security Disclosure Policy Marc Houben Web Development is committed to maintaining the security of our systems and protecting our users' data. We appreciate the security community's efforts to responsibly disclose vulnerabilities. ## 📧 Reporting Security Vulnerabilities ### How to Report 1. **Email:** security@marchouben.nl (preferred) 2. **Backup:** info@marchouben.nl 3. **Web Form:** https://www.marchouben.nl/contact.html 4. **Encrypted:** Use our PGP key for sensitive reports ### What to Include - **Vulnerability Type:** XSS, SQL Injection, CSRF, etc. - **Affected Systems:** Specific URLs, applications, or services - **Steps to Reproduce:** Detailed reproduction steps - **Impact Assessment:** Potential security impact - **Proof of Concept:** Safe demonstration (no data modification) - **Suggested Fix:** If you have recommendations ## ⏱️ Response Timeline | **Timeframe** | **Action** | |---------------|------------| | **24 hours** | Initial acknowledgment of report | | **72 hours** | Preliminary assessment and triage | | **7 days** | Detailed response with timeline | | **30 days** | Security fix deployment (target) | | **90 days** | Public disclosure (coordinated) | ## 🎯 Scope & Systems ### **In Scope** - **Primary Website:** https://www.marchouben.nl - **Subdomains:** All *.marchouben.nl domains - **Web Applications:** Custom developed applications - **APIs:** Public and authenticated endpoints - **Contact Forms:** Data processing systems ### **Out of Scope** - **Third-party Services:** External hosted services - **Social Engineering:** Phishing attempts - **Physical Security:** Office/hardware security - **DoS/DDoS:** Denial of service attacks - **Brute Force:** Password/authentication attacks ## 🏆 Security Researcher Recognition ### **Hall of Fame** Security researchers who responsibly disclose vulnerabilities will be recognized in our Security Hall of Fame (with permission). ### **Acknowledgment Criteria** - **Valid Security Issues:** Confirmed vulnerabilities - **Responsible Disclosure:** Following our policy - **No Harm:** No data access or system disruption - **Constructive Communication:** Professional interaction ### **Recognition Includes** - Public acknowledgment on our website - LinkedIn recommendation (if requested) - Reference for future security work - Potential consulting opportunities ## 🚫 Rules of Engagement ### **Acceptable Testing** ✅ **Allowed:** - Automated scanning (rate-limited) - Manual security testing - Source code review (if available) - Safe proof-of-concepts ❌ **Prohibited:** - Data extraction or modification - Service disruption or DoS - Social engineering staff/users - Physical security testing - Testing third-party systems ### **Legal Protection** We commit to: - No legal action for good-faith security research - Coordinated disclosure process - Credit for responsible disclosure - Professional communication ## 🔐 Security Measures ### **Current Protections** - **HTTPS Everywhere:** SSL/TLS encryption - **Security Headers:** CSP, HSTS, X-Frame-Options - **Input Validation:** Server-side sanitization - **Access Control:** Role-based permissions - **Regular Updates:** Framework and dependency updates - **Monitoring:** Security event logging ### **Compliance Standards** - **GDPR:** EU data protection compliance - **OWASP Top 10:** Common vulnerability prevention - **RFC 9116:** Security.txt implementation - **ISO 27001:** Information security practices ## 📱 Contact Information ### **Primary Security Contact** - **Email:** security@marchouben.nl - **Response Time:** Within 24 hours - **Languages:** Dutch, English, German (basic) - **Timezone:** CET/CEST (UTC+1/+2) ### **Encrypted Communication** - **PGP Key:** https://www.marchouben.nl/.well-known/pgp-key.txt - **Keyserver:** keys.openpgp.org - **Fingerprint:** [To be updated with actual key] ### **Alternative Contacts** - **General:** info@marchouben.nl - **Business:** Available during business hours - **Emergency:** For critical vulnerabilities only ## 📋 Vulnerability Categories ### **High Priority** - Remote Code Execution (RCE) - SQL Injection - Authentication Bypass - Privilege Escalation - Data Exposure ### **Medium Priority** - Cross-Site Scripting (XSS) - Cross-Site Request Forgery (CSRF) - Information Disclosure - Access Control Issues - Session Management ### **Low Priority** - Missing Security Headers - SSL/TLS Configuration - Information Leakage - Best Practice Violations ## 🔄 Update Process This security policy is reviewed and updated: - **Quarterly:** Regular policy review - **As Needed:** After security incidents - **Annually:** Comprehensive policy audit - **Community Feedback:** Based on researcher input ## 📚 Additional Resources - **Security.txt:** https://www.marchouben.nl/.well-known/security.txt - **PGP Key:** https://www.marchouben.nl/.well-known/pgp-key.txt - **Contact Form:** https://www.marchouben.nl/contact.html - **Privacy Policy:** https://www.marchouben.nl/privacy-policy.html

Thank you for helping us maintain a secure environment for our users and systems.

This policy is inspired by industry best practices and responsible disclosure guidelines from organizations like HackerOne, Bugcrowd, and the security research community.