Policy

We're pretty simple when it comes to coordinated vulnerability disclosures.

• Security issues with our site or infrastructure can be reported to security@kedalion.nl. (S/MIME key)
• We do not have a bug bounty program, but will offer a small monetary compensation for real, critical security issues.
• We will acknowledge anyone who reports issues, here on this page.
• Spam issues may be reported to abuse@kedalion.nl.
• And yes, we have a security.txt.

The public key for S/MIME email to security@kedalion.nl can be found here.

Acknowledgements

Thanks to:

• Vaibhav Jain, for suggesting we setup MTA STS. (Jan 2025)
• Dankel Ahmed, for reminding us that our hosting provider doesn't support DNS SEC. (Jan 2025)
• Ashok Kumar Pareek, for suggesting we implement a TLS RPT record. (Apr 2025)
• Devansh Chauhan, for suggesting we upgrade jQuery (which was included in a RapidWeaver theme). (May 2025)
• Parth Narula, for pointing out that the TLS RPT record we made (see above), was incorrectly configured. (June 2025)
• Akhil C.D., for helping us realise that Dreamhost ignores .htaccess files if there is no index.[html,php,etc]. (June 2025).

Also:

• DMARC Digests, for pointing out that, while we had proper DKIM keys, one domain wasn't signing emails. (June 2025)
• AppMailDev, for providing a free and solid resource to prove that DKIM signed emails work. (June 2025)