Security Policy
If you believe you found a security issue in systems operated by IT Help San Diego Inc., please report it responsibly.
Contact
- Email:
security@it-help.tech - Suggested subject:
Security Report - [brief summary] - If active exploitation is in progress, include
URGENTin the subject line.
If you need a different secure reporting channel, request one in your initial email.
What To Include
Please include enough detail for reliable triage:
- A clear description of the issue and impact.
- Exact URL(s), endpoint(s), or component(s) affected.
- Reproduction steps and any prerequisites.
- Proof of concept, logs, or screenshots (when safe to share).
- Your contact information for follow-up.
Scope
This policy applies to internet-facing assets owned and operated by IT Help San Diego Inc. for it-help.tech.
If you report an issue in third-party infrastructure, include evidence showing how it directly affects our operated assets.
If your assessment is part of a formally authorized program (government, regulatory, or contracted), include the authorization reference so we can route it correctly.
Authorized Security Testing
IT Help San Diego participates in recurring external security assessments, including CISA Cyber Hygiene scanning and other explicitly authorized testing engagements.
Activities that may otherwise be out of scope are permitted when authorization exists in writing (for example: program agreement, statement of work, or rules of engagement).
Authorized testing may include:
- Phishing or social engineering exercises.
- Red-team activity.
- Controlled active testing that is agreed in advance.
For authorized engagements, follow the signed rules of engagement and designated escalation channels.
Authorized Assessment Intake
For government, regulatory, or contracted testing, include:
- Program or sponsor name.
- Authorization reference (agreement/SOW/ROE identifier).
- Assessment window (start/end in UTC).
- Source IP ranges or infrastructure identifiers.
- Primary operator contact for real-time coordination.
Safe Harbor
If you act in good faith and follow this policy, we will treat your research as authorized for coordinated vulnerability disclosure and will not pursue legal action for your report.
This policy does not limit or override permissions granted under separate written government, regulatory, or contractual testing agreements.
Good-faith testing means:
- Avoiding privacy violations, data destruction, and service disruption.
- Accessing only the minimum data required to demonstrate the issue.
- Stopping testing after obtaining proof and reporting promptly.
- Not sharing, retaining, or reusing any non-public data.
Out Of Scope
The following are generally out of scope unless there is demonstrable business impact:
- Social engineering, phishing, or red-team activity without explicit written authorization.
- Physical attacks or local network attacks requiring physical access, unless expressly authorized in writing.
- Denial-of-service (DoS/DDoS), traffic flooding, or resource exhaustion testing, unless expressly authorized in writing with defined scope, windows, and safeguards.
- Vulnerabilities that depend on outdated/unpatched client software with no direct server-side impact.
- Reports without reproducible evidence.
Response Targets
- Initial acknowledgment: within 3 business days.
- Triage/status update: typically within 10 business days.
- Remediation timeline: risk-based and dependent on complexity.
Public Disclosure
Please do not publicly disclose vulnerabilities until remediation is complete or a coordinated timeline is agreed upon in writing.
Bug Bounty
IT Help San Diego Inc. does not currently operate a paid bug bounty program.
Acknowledgments
We appreciate responsible reports that improve security outcomes. Public credit can be coordinated after remediation, based on reporter preference and operational constraints.
security.txt
Machine-readable reporting details are published at:
https://www.it-help.tech/.well-known/security.txthttps://www.it-help.tech/security.txt
Last updated: February 14, 2026.