logo
Legal

Security Policy

This page explains how we protect wolferdawg.io and how to report security issues responsibly.

Effective date

January 12, 2026

Important Notice

If you believe you found a vulnerability affecting wolferdawg.io or our related services, we want to hear from you. Please report issues privately so we can investigate and fix them safely.

1. Reporting a Security Issue

Preferred reporting channels

What to include in your report

  • A clear description of the issue and the affected URL(s) or system(s)
  • Steps to reproduce the issue (proof of concept preferred)
  • Any logs, screenshots, request/response samples, or relevant payloads
  • Your assessment of impact (what an attacker could do)
  • Your contact info and preferred method of follow-up

Encryption

If you need encrypted communications, request our PGP public key by emailing [email protected].

Emergency issues

If the issue involves active exploitation, significant data exposure, or account takeover risk, mark your email subject line as: URGENT: Security issue.

2. Scope

This policy applies to security vulnerabilities in the following:

  • The wolferdawg.io website and subdomains we own and operate
  • Public-facing web applications, APIs, and forms hosted by Wolferdawg IT under the wolferdawg.io domain
  • Marketing and lead-capture workflows directly connected to wolferdawg.io (forms, email routing, CRM integrations)

Out of scope

The following are generally out of scope (but you can still report them if you think there is real risk):

  • Issues in third-party platforms we do not control (unless misconfiguration or integration is clearly ours)
  • Denial-of-service (DoS/DDoS), load testing, or stress testing
  • Social engineering attempts (phishing, vishing, physical security testing)
  • Vulnerabilities that require physical access to a device or premises
  • Informational findings with no reasonable exploit path

3. Safe Harbor

We support good-faith security research. If you follow this policy, we will not pursue legal action against you for:

  • Good-faith testing intended to avoid harm
  • Reporting vulnerabilities promptly and privately
  • Making a reasonable effort to avoid privacy violations and service disruption

Safe harbor is conditioned on compliance with the guidelines below. This policy does not authorize actions that violate applicable law, compromise data, or disrupt service.

4. Testing Guidelines

Please do

  • Test only against assets in scope
  • Use the minimum level of access needed to demonstrate the issue
  • Stop testing as soon as you confirm the vulnerability
  • Limit request rates and avoid performance impact
  • Report issues quickly, including remediation suggestions if you have them

Please do not

  • Access, modify, or delete data that is not your own
  • Attempt to exfiltrate data or secrets (tokens, keys, credentials)
  • Run automated scanners at high volume or attempt denial-of-service
  • Use exploits that persist, spread, or affect other users
  • Publicly disclose a vulnerability before we have had a chance to address it

What we typically accept as valid findings

  • Authentication and authorization issues (IDOR, privilege escalation)
  • Injection flaws (SQLi, command injection, SSRF where applicable)
  • Cross-site scripting (XSS) and CSRF with meaningful impact
  • Security misconfigurations that expose data or allow unauthorized actions
  • Sensitive data exposure (PII leakage, token leakage)

5. Disclosure Process

Our typical workflow

  1. Acknowledgement: We aim to acknowledge your report within a reasonable timeframe.
  2. Triage: We assess severity, scope, and exploitability.
  3. Fix: We work to remediate or mitigate the issue.
  4. Validation: We verify the fix and may request retesting details.
  5. Closure: We close the report and document outcomes where appropriate.

Coordinated disclosure

We prefer coordinated disclosure. If you intend to publish details, please coordinate with us so we can protect users and clients. If a public deadline is needed, include it in your initial report.

Bug bounty

Wolferdawg IT does not currently operate a public bug bounty program. We still appreciate responsible reports and may offer recognition at our discretion (for example, a thank-you note or public credit).

6. Data Handling and Privacy

What we collect

wolferdawg.io may collect information you submit through forms, as well as standard web analytics and security logs. Examples include your name, email, message details, IP address, user-agent, and timestamps.

How we use security-related data

  • Detecting and preventing abuse, fraud, or unauthorized access
  • Troubleshooting and incident investigation
  • Maintaining website reliability and performance

Retention

We retain security logs and related records for as long as needed for legitimate security, operational, and legal purposes. Retention periods can vary based on system and regulatory requirements.

Reporting sensitive data

Do not send sensitive personal data in plain text. If your report includes potentially sensitive information, tell us what you found and request a secure transfer method.

7. Secure Practices

Transport security

  • We aim to enforce HTTPS for web traffic where supported.
  • We review TLS configuration and certificates periodically.

Access control

  • Administrative access is restricted to authorized personnel.
  • We use least-privilege principles where feasible.
  • We aim to use multi-factor authentication (MFA) for critical systems.

Patch and vulnerability management

  • We apply security updates to supported software in a timely manner.
  • We monitor for high-impact vulnerabilities affecting our stack and providers.

Secure development and configuration

  • We review configuration changes to reduce the risk of misconfiguration.
  • We use backups and staged changes where appropriate.
  • We aim to follow secure coding practices for custom components.

Monitoring

  • We monitor for suspicious activity and anomalous access patterns.
  • We maintain audit trails for administrative actions where supported.

8. Third Parties and Subprocessors

wolferdawg.io may rely on reputable third-party providers for hosting, analytics, forms, email delivery, and CRM services. These providers may process limited data as needed to deliver their services.

For vendor-specific privacy information, refer to our Privacy Policy and the applicable provider terms.

9. Incident Response

If we confirm a security incident, our response typically includes:

  • Containment steps to stop or limit impact
  • Investigation to determine scope, root cause, and affected systems
  • Remediation and hardening to prevent recurrence
  • Notification where legally required or appropriate based on risk
  • Post-incident review and documented improvements

10. Client Service Security

Wolferdawg IT provides managed services that may include security monitoring, endpoint protection, identity controls, and incident response for clients. The specifics vary by contract and scope of work.

If you are a client with a suspected incident, use your agreed-upon support channel or email [email protected] and include Security Incident in the subject line.

11. Contact

12. Change Log

  • January 12, 2026 — Initial publication.