Last updated: 2020-03-07
As with all publicly available systems I do not assume my infrastructure to be "unhackable". I make it as hard as possible to do so but nothing nor anyone is infallible. For that reason I'd like to lay down the views I have regarding penetration tests on anything on my infrastructure that I have ownership rights to. This includes not only this website and webserver but also any of my infrastructure that's publicly hosted on their domains (such as the DNS and mail servers).
If you'd like to conduct "ethical" penetration tests on my infrastructure, I hereby invite you to do so. I can't reasonably deny it anyway - if it isn't you it would be someone else with more nefarious goals. It's in my best interest to allow you to do so. However, keep in mind that I do not allow you to exploit any service or gain access to my networks unless required for reconnaissance and/or to make the proof of concept. Once the proof of concept is obtained, send it to me via email on security at [insert my domain here] - nixmagic.com is the primary email domain but all of the other ones work too. The usual 3 months private disclosure time applies, during which I will attempt to fix the issue. Afterwards we can both publicly disclose the issue - on my part accreditation on the website would seem most appropriate. I'm open to discussion regarding this as part of the vulnerability report itself.
Do keep in mind however that I offer these services out of my own infrastructure and pockets. I can't currently offer any financial awards for finding security issues on the infrastructure. If that's fine with you, then by all means go ahead and play with it. As long as you play nice I won't stop you from doing so. But I can't offer any money for doing so.
Additionally, I reserve all the rights to determine whether or not a penetration test was legitimate or not - and in return whether I will prosecute or not. I'm open towards penetration tests but I need this legal coverage. In a nutshell, play nice.