Security policy

Report a Vulnerability on an uh.live or an allo-media.net Domain or Subdomain

A vulnerability is a technical issue with the uh.live or allo-media.net websites or APIs that attackers or hackers could exploit to compromise the website and its users.

Vulnerabilities are covered by this policy if the security.txt file for the domain points to this page.

Note: We do not offer monetary rewards for reporting vulnerabilities (also known as a “bug bounty”).

How to Report a Vulnerability

When submitting a report, please include:

  • The IP address and/or URL of the page where you found the vulnerability.
  • A description of the type of vulnerability (e.g., XSS vulnerability).
  • Detailed steps to reproduce the vulnerability.
  • Screenshots or logs if available.

Guidelines for Reporting a Vulnerability

When investigating and reporting a vulnerability on an uh.live or allo-media.net domain or subdomain, you must not:

  • Break the law.
  • Access unnecessary or excessive amounts of data.
  • Modify data.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Attempt a denial of service attack (e.g., overwhelming a service with high-volume requests).
  • Disrupt uh.live or allo-media.net services or systems.
  • Disclose the vulnerability to others before we have officially addressed it.
  • Engage in social engineering, phishing, or physical attacks against our staff or infrastructure.
  • Demand money to disclose a vulnerability.

For reporting exploitable vulnerabilities or other security issues, please contact us. You may also report:

  • Non-exploitable vulnerabilities.
  • Areas that could be improved (e.g., missing security headers).
  • TLS configuration weaknesses (e.g., weak cipher suite support or TLS 1.0 presence).

Data Protection

When reporting a vulnerability, you must adhere to data protection regulations. This means:

  • You must not share any data retrieved from our sites during vulnerability research.
  • You must keep any data secure until it is deleted.
  • You must delete the data as soon as we confirm it is no longer needed, or within one month after the vulnerability has been resolved—whichever comes first.

After You’ve Reported a Vulnerability

  • You will receive an acknowledgment of your report within 5 working days.
  • We aim to assess your report within 10 working days.
  • Fixes are prioritized based on impact, severity, and exploit complexity.
  • Once the vulnerability is fixed, we can collaborate with you on disclosure and publication of the report.

Updates to This Page

Last updated: 05 February 2025