No results found.

Security Policy

I take security seriously. If you've discovered a vulnerability, I appreciate your help in disclosing it responsibly.

Reporting a Vulnerability

If the report contains any sensitive information, please encrypt it using my PGP key (see below).

If you believe you've found a security vulnerability in any of my projects or websites, please report it by emailing [email protected].

Please include as much detail as possible to help me understand and reproduce the issue:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Affected URL(s) or project(s)
  • Any proof-of-concept code or screenshots
  • Your assessment of the potential impact

Response Timeline

24-48 hours Initial acknowledgment of your report
7 days Assessment and initial response with next steps
90 days Target resolution timeframe for confirmed issues

Scope

This policy applies to:

  • samdjames.uk and its subdomains
  • Open source projects I maintain
  • Client projects where I am the primary contact for security matters

Out of Scope

The following are generally not considered valid security issues:

  • Social engineering attacks
  • Physical attacks against infrastructure
  • Denial of service (DoS/DDoS) attacks
  • Missing security headers that don't lead to exploitable vulnerabilities
  • Clickjacking on pages with no sensitive actions
  • Rate limiting issues unless they lead to a significant security impact

Safe Harbour

I consider security research conducted in accordance with this policy to be:

  • Authorized and I will not pursue legal action
  • Exempt from restrictions in any applicable Terms of Service
  • Helpful and conducted in good faith

I ask that you act in good faith, avoid privacy violations, destruction of data, and interruption or degradation of services during your research.

PGP Key

For encrypted communications, you can use my PGP key:

Fingerprint: 1C30 FCBE C309 E07F BDB0 0F09 5860 95A2 D239 4AC3

You can download the public key from here.

security.txt

This site follows the RFC 9116 standard. You can find the machine-readable security policy at:

/.well-known/security.txt

PGP Encryption

If you don't have a PGP client set up, you can use this tool to help encrypt your message with my PGP key:

Acknowledgements

Thank you to the following security researchers who have responsibly disclosed vulnerabilities:

No reports yet. Be the first to responsibly disclose a vulnerability!

Responsible Disclosures

This section highlights a selection of security issues I’ve responsibly disclosed to companies and open-source projects.
Disclosures were conducted in good faith, following responsible disclosure norms, and communicated directly to the relevant parties.

Information is intentionally high-level and excludes sensitive technical details.

CosmicSting Mass Vulnerability Scanning - Multiple Retailers Magento Stores

Vulnerability Outreach 2024

Conducted automated scanning and responsible disclosure to hundreds of Magento stores vulnerable to the critical CosmicSting XXE vulnerability. Ranging from small businesses to large enterprises, helping merchants mitigate risks before active exploitation.

→ Read the Writeup

Magento 2 Admin Backdoor - Major Power Tools Franchise Magento Store

Remote Code Execution 2023

Identified a publicly accessible PHP backdoor script providing unauthorized administrative access to a Magento store as well as a SQL console to the database.

Magento 2 Sensitive Information Disclosure - Tattoo Retailer Magento Store

Information Disclosure 2023

Identified a vulnerability that allowed unauthorized access to sensitive files, ranging from payment log files, to configuration files containing database credentials, package auth keys and API keys potentially leading to further exploitation.

Magento 2 Sensitive Information Disclosure - Photonics Manufacturer Magento Store

Information Disclosure 2023

Identified a vulnerability that allowed unauthorized access to sensitive files, ranging from payment log files, to configuration files containing database credentials, package auth keys and API keys potentially leading to further exploitation.

Collection of Stored XSS Vulnerabilities - Mirasvit Magento Extensions

Stored XSS 2021

Discovered and reported collection of stored XSS vulnerabilities across a range of Mirasvit extensions, to prevent malicious scripts being injected both into the admin and frontend interfaces.

SQL Injection in Pay360 Order Export - Pay360 Magento 1 Extension

SQL Injection 2019

Identified and reported an SQL injection vulnerability in the order export functionality of a Pay360 Magento 1 extension, to prevent potential manipulation of database queries and access to sensitive information.

All disclosed issues were responsibly reported and resolved with the affected parties.

All product names, logos, and companies referenced are trademarks or registered trademarks of their respective owners.

This disclaimer may be removed at the publisher’s discretion, but the content remains informational and all issues were responsibly disclosed.

Last updated: January 2026

← Back to Home