First, thank you for finding the security issue.
Please do not publicly disclose the security issue until it is fixed.
Contact me either through the client panel (for clients), the helpdesk, or email. Do not call me for security issues as I need to keep a log of conversations and it is difficult to do so over a phone call.
Please include as much information as possible.
There are some rules for when testing security related issues:
- Provide a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Contact me using the correct methods.
- Do not cause any damage to the client panel or related third party services.
- Avoid privacy violations, disruptions of service, destruction of data, etc.
- Only interact with accounts that you own or have permission from the account holder to use.
- Do not attempt to DOS/DDOS the service. You will be banned.
- Do not attempt to spam, social engineer or phish.
- The report must be in a way that makes it clear how to reproduce the security issue. In other words, a proof of concept should be included.
- If the security issue is with a third party, you may consider reporting it directly to them.
- Some reports may be rewarded (for example: discount on next month of website development).
- Basically, follow ethical practices