Security Policy
JS Labs accepts responsible disclosure reports covering public services hosted under the lab estate.
Report a vulnerability
Email security@jamessawyer.co.uk with:
- affected host or path
- reproduction steps
- impact assessment
- proof-of-concept details if available
Scope and handling
Good-faith testing on public endpoints is permitted. Avoid destructive actions, denial-of-service activity, data exfiltration, credential reuse, or changes to account state.
The canonical machine-readable disclosure record is /.well-known/security.txt.