$ cat /etc/internalhost/responsible-disclosure

Responsible disclosure

Version 1.0 · Last updated: 2026-05-19 · machine-readable: /.well-known/security.txt

Found a bug, vulnerability or abuse? Tell us. We value responsible disclosure and respond within 48 hours — usually faster.

How to report

  • Email: [email protected] — preferred for written reports with reproducible PoC.
  • Signal: link in the footer. For real-time triage or when actively exploited.
  • PGP: not published yet. Will be once we actually receive sensitive reports.

Please include in your report at minimum: steps to reproduce, impact estimate, affected URL/hostname, your contact info for follow-up.

In scope

  • Production infrastructure: *.internalhost.eu and anything routed via AS204729 ().
  • Customer portal: this website (Paymenter).
  • Mail infrastructure: mail.internalhost.eu, mx2.internalhost.eu.
  • Our public source code on github.com/internalhost-eu.

Out of scope

  • Customer servers (VPS / dedicated / colocation): those belong to our customers. No testing without written permission from the owner. We reserve the right to report unauthorised research on customer IPs to the police.
  • Denial of Service and volumetric attacks.
  • Spam, phishing, social engineering of our staff or customers.
  • Theoretical issues without a working Proof of Concept.
  • Automated scanner findings without manual verification ("your SSL doesn't score A+ on Qualys" is not a vulnerability).
  • Upstream issues in open-source projects (Laravel, Filament, Paymenter, CloudPanel, etc.) — please report those directly.

What we commit to

  • We respond within 48 hours, usually within 8 business hours.
  • We investigate seriously and keep you posted on progress.
  • We take no legal action against researchers acting in good faith and following this policy.
  • Confirmed issues get a hall-of-fame mention (if you want one) and a personal Signal thanks from Nick.
  • We patch vulnerabilities before public disclosure. Default disclosure window: 90 days after confirmation, shorter when actively exploited.

What we don't offer

No bug-bounty program with cash rewards. We're a small team. What you do get:

  • Public credit on this page (or anonymous, your call).
  • InternalHost merch (once we have any).
  • A conversation about the bug itself, not about manager-driven priorities.

Hall of fame

Researchers who helped us. Thanks.

Empty for now — be the first.