Transparency
Security Policy
Last updated: June 2026
The German version of this Security Policy is authoritative. This English version is provided for convenience and transparency only.
1. Purpose
This Security Policy explains how security issues relating to this website can be reported.
The website is a personal portfolio and professional profile website. It does not provide public user accounts, an online shop, payment functionality, a forum or a public comment system.
2. Security Contact
If you suspect a vulnerability, misconfiguration, data incident or other security issue, please contact me at:
Please use a clear subject line, for example:
Security Report – jialianglai.com
3. What May Be Reported
Relevant reports may concern in particular:
- publicly accessible sensitive files,
- accidentally published credentials or tokens,
- incorrect security headers,
- XSS or injection risks,
- insecure external integrations,
- errors in cookie or consent functions,
- privacy or tracking misconfigurations,
- unintended disclosure of personal data,
- insecure forms,
- redirect or link abuse,
- misconfigurations in the hosting or deployment context.
4. Unauthorised Actions
In particular, the following are not permitted:
- exploiting a vulnerability beyond proof of concept,
- accessing third-party or non-public data,
- modifying, deleting or exfiltrating data,
- denial-of-service testing,
- social engineering,
- phishing,
- spam,
- brute-force attacks,
- automated mass scans that place a load on the website,
- physical attacks or attacks against third-party providers,
- public disclosure of a vulnerability before appropriate clarification.
5. Expected Information
A helpful security report usually includes, where possible:
- affected URL,
- brief description of the issue,
- technical steps to reproduce,
- browser and device, if relevant,
- screenshots or logs, if helpful,
- possible impact,
- suggested remediation, if available,
- your contact option for follow-up questions.
Please do not submit personal data of third parties, unnecessary secrets or data that you are not permitted to disclose.
6. Handling of Reports
I review incoming security reports to the best of my knowledge and within my possibilities.
As this is a personal website, no fixed response time or processing deadline can be guaranteed. I will, however, endeavour to review comprehensible and relevant notices in a timely manner.
7. No Bug Bounty Programme
This website does not operate a public bug bounty programme.
There is no entitlement to payment, reward, acknowledgement, publication or any other consideration.
A named acknowledgement may be made in individual cases if this has been agreed in advance.
8. Data Protection in Security Reports
Personal data transmitted as part of a security report will be processed solely for the purpose of reviewing and handling the report.
The legal basis is Article 6(1)(f) GDPR. My legitimate interest lies in the security and integrity of this website.
Further information can be found in the Privacy Policy.
9. Responsible Disclosure
Please give me a reasonable opportunity to review and remedy a reported issue before making information public.
If immediate public disclosure appears necessary for security or legal reasons, please state this in your report.
