This is the security notice for all Textstat repositories. The notice explains how vulnerabilities should be reported to Textstat.

If you’ve found a vulnerability, we would like to know so we can fix it.

You can report a vulnerability to Textstat via email: alxwrd@googlemail.com.

When reporting a vulnerability to us, please include:

• the website, page or repository where the vulnerability can be observed
• a brief description of the vulnerability
• details of the steps we need to take to reproduce the vulnerability
• non-destructive exploitation details

If you are able to, please also include:

• the type of vulnerability, for example, the OWASP category
• screenshots or logs showing the exploitation of the vulnerability

If you are not sure if the vulnerability is genuine and exploitable, or you have found:

• a non-exploitable vulnerability
• something you think could be improved - for example, missing security headers

Then please still contact us via email: alxwrd@googlemail.com.

When you are investigating and reporting the vulnerability on a Textstat domain or subdomain, you must not:

• break the law
• access unnecessary or excessive amounts of data
• modify data
• use high-intensity invasive or destructive scanning tools to find vulnerabilities
• try a denial of service - for example overwhelming a service with a high volume of requests
• disrupt services or systems
• tell other people about the vulnerability you have found until we have disclosed it
• social engineer, phish or physically attack our staff or infrastructure
• demand money to disclose a vulnerability

Only submit reports about exploitable vulnerabilities via email.

Unfortunately, Textstat doesn't offer a paid bug bounty programme. Textstat will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.

Textstat has a contributors code of conduct, which you can find here: [CODE_OF_CONDUCT.md]