Responsible Disclosure | Red Stick Cyber

Red Stick Cyber takes security seriously — including the security of our own assets. We welcome reports from security researchers, customers, and members of the public who believe they have found a vulnerability in any of our publicly-accessible systems. This page describes how to reach us, what's in scope, and what you can expect in return.

The short version. Found a vulnerability in something we run? Email security@redstickcyber.com with the details. Don't extract data, don't pivot to other systems, and don't disclose publicly until we've had a reasonable chance to fix it. We'll respond, work with you, and credit you if you'd like.

1. How to report a vulnerability

Send a report to security@redstickcyber.com. If that mailbox is not reachable, send to info@redstickcyber.com with "Security Report" in the subject line.

To help us triage quickly, please include:

A clear description of the vulnerability and the impact you believe it has.
Steps to reproduce, including URLs, payloads, and any screenshots or logs.
The affected asset (URL, hostname, or service).
Date and time you observed the issue, including time zone.
Whether you'd like to be credited publicly when the issue is resolved, and the name or handle to credit.

We'll acknowledge receipt within three business days and provide a target remediation timeline once we've reproduced the issue.

2. Scope

✓ In scope

redstickcyber.com and any subdomain we control
The static site, its assets, and DNS configuration
Email security configuration of the redstickcyber.com domain (SPF, DKIM, DMARC)

✗ Out of scope

Third-party services we use but do not operate (Microsoft 365, Microsoft Bookings, Tiiny.host, Formspree, our domain registrar). Report those directly to the relevant vendor's security team.
Denial-of-service or volumetric testing
Social engineering of our staff, customers, vendors, or family members
Physical attacks against any premises
Findings derived from publicly available information that are not exploitable on our systems
Self-XSS, missing best-practice headers without demonstrable impact, theoretical issues without a working proof-of-concept

3. Rules of engagement

While testing, you must:

Stop at proof-of-concept. Do not extract data, modify content, or maintain access beyond what is needed to demonstrate the issue.
Use only your own accounts and data. Do not interact with, attempt to access, or attempt to compromise other people's accounts, sessions, or data.
Avoid disruption. Do not perform testing that could degrade service for legitimate users — no DoS, no resource-exhaustion attacks, no automated scanning that generates significant load.
Respect privacy. If you encounter sensitive information, stop and report it. Do not save, copy, transfer, or share it.
Hold disclosure. Give us a reasonable opportunity to remediate before publicly disclosing the issue. We will work with you on a coordinated disclosure timeline.
Comply with the law. All testing must remain within applicable U.S. and Louisiana law.

4. Safe harbor

Good-faith research is welcome. If you make a good-faith effort to comply with this policy during your security research, Red Stick Cyber will:

Consider your activities to be authorized under the Computer Fraud and Abuse Act and any analogous Louisiana state law.
Not pursue civil action or initiate a complaint to law enforcement against you for your research.
Work with you to understand and resolve the issue quickly.

If legal action is initiated by a third party against you for actions consistent with this policy, we will make it known that your conduct was authorized. This safe harbor does not apply to activity that goes beyond the scope or rules in this policy.

5. What you can expect from us

An acknowledgement of your report within three business days.
An initial triage and severity assessment within seven business days.
Regular updates on remediation progress for confirmed issues.
Public credit for the discovery (with your permission), once the issue is fully remediated.
An open conversation. If we disagree on severity, scope, or impact, we'll explain our reasoning and listen to yours.

6. No bug bounty

Red Stick Cyber does not currently offer a paid bug bounty program. Our recognition is non-monetary — public credit, a reference, or a thank-you. We may revisit this in the future.

7. Questions

Red Stick Cyber LLC
Prairieville, Louisiana, USA
Security: security@redstickcyber.com
General: info@redstickcyber.com