Responsible Disclosure

Reporting a vulnerability

If you believe you have found a security vulnerability in the Goshbob website, we encourage responsible disclosure. Please report it using the contact form and include as much detail as possible about what you found.

A machine-readable security contact file is also available at /security.txt (and at /.well-known/security.txt per RFC 9116).

What to include

• A description of the vulnerability and where it exists
• Steps to reproduce the issue
• Any supporting evidence such as screenshots or request logs
• Your assessment of the potential impact

Our commitment

• We will acknowledge receipt of your report within 7 business days
• We will investigate and work to remediate confirmed vulnerabilities promptly
• We will keep you informed of progress where appropriate

Scope

This policy covers the goshbob.com.au website and any directly operated subdomains. It does not cover third-party services referenced from this site (Cloudflare, Google Fonts, Bootstrap CDN, LinkedIn).

Good faith expectations

We ask that you act in good faith: do not access or modify data you are not authorised to access, do not disrupt services, and do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate.

Goshbob will not pursue legal action against researchers who follow this policy in good faith.

No bug bounty

Goshbob does not currently operate a paid bug bounty programme. We do appreciate responsible disclosures and will acknowledge your contribution where you would like to be credited.