Thomas BardenBack to portfolio

Security

Last updated 12 June 2026

Responsible security reports are welcome. This page explains what to include, what is in scope, and how reports will be handled.

On this page
  1. Reporting a vulnerability
  2. In scope
  3. Out of scope
  4. Responsible testing
  5. Response
  6. Disclosure

Reporting a vulnerability

If you believe you have found a security issue affecting thomasbarden.com, email hi@thomasbarden.com with the subject "Security report".

Include a clear description, the affected URL or feature, steps to reproduce the issue, its potential impact, and any supporting evidence that does not expose personal information or secrets.

In scope

  • the public pages and API endpoints served from thomasbarden.com;
  • the contact form and its submission workflow;
  • security-header or content-security-policy weaknesses; and
  • exposure of credentials, personal information, or non-public website data.

Out of scope

  • social engineering, phishing, physical attacks, or denial-of-service testing;
  • automated scanning that creates excessive traffic or contact-form submissions;
  • reports about third-party services without a demonstrated impact on this website; and
  • issues requiring unsupported browsers, compromised devices, or user-installed malware.

Responsible testing

Please avoid accessing, modifying, retaining, or sharing information belonging to another person. Do not disrupt the website, bypass rate limits at scale, or use a finding beyond what is necessary to demonstrate it safely.

Response

Reports will be reviewed in good faith. Receipt will normally be acknowledged within seven days where the report contains enough information to investigate. No reward or public recognition programme is currently offered.

Disclosure

Please allow reasonable time for investigation and remediation before publishing details. Coordinated disclosure timing can be discussed by email.