Security Policy
Last updated July 17, 2026
The Kingfish Project — kingfish.la · Effective date: July 17, 2026
How to read this policy
Plain language: Every section starts with a short summary in everyday English. The summaries help you understand; the detailed text underneath is the official version.
Each section begins with a plain-language summary, written following the Federal Plain Language Guidelines and ISO 24495-1. Summaries aid understanding; if a summary is ever inconsistent with the full text beneath it, the full text controls.
The short version
Plain language: We run our own infrastructure, we protect source material above everything else, and we want to hear about security problems. If you research our systems in good faith, we will thank you — not sue you.
Our security commitments
Plain language: Traffic is encrypted, staff use hardware security keys, sensitive source material is encrypted with tightly limited access, and tip systems are kept separate from everything else. If an incident ever affects your data, we’ll tell you and post a public notice.
- Encryption in transit. All site traffic is served over HTTPS, and we enforce it.
- Self-hosted core. Our publishing system, document archives, and tip infrastructure run on infrastructure we operate. Our short list of outside providers is disclosed in our Privacy Policy.
- Strong staff access controls. Internal systems sit behind single sign-on with hardware security keys, and access follows least privilege — people get access to what their work requires, nothing more.
- Source material comes first. Sensitive source material is stored encrypted, with access restricted to the journalists working on the story.
- Separated tip systems. Our tip channels, including our encrypted tip form, are operated on dedicated infrastructure, separated from the rest of our systems.
- Maintenance. We keep our systems patched and updated on a regular schedule.
- Incident response. If a security incident affects your personal information, we will notify affected people promptly and post a public notice on the site describing what happened and what we did about it.
Reporting a vulnerability
Plain language: Found a security problem? Email [email protected] or message us on Signal. We’ll respond within 3 business days, keep you posted while we fix it, and credit you publicly if you’d like. We’re a small nonprofit and don’t pay bounties — but we will be genuinely grateful.
If you believe you have found a security vulnerability in any of our systems, report it to:
- Email: [email protected]
- Signal: TheBoatyMcBoatFace.01
Helpful reports include a description of the issue, steps to reproduce it, your assessment of the impact, and — if you would like updates or credit — a way to reach you. Anonymous reports are welcome.
When you report a vulnerability, we commit to:
- Acknowledging your report within 3 business days.
- Assessing the issue and giving you an expected remediation timeline.
- Keeping you informed as we work on a fix.
- Telling you when the issue is resolved.
- Crediting you publicly, if you want credit.
We do not operate a paid bug bounty program. We ask that you give us 90 days, or a mutually agreed coordinated date, before disclosing an issue publicly, so we can protect readers and sources while we fix it.
Scope
Plain language: Everything public-facing that we run is fair game — the site, subdomains, newsletter systems, document archives, and tip channels including our encrypted tip form. Third-party platforms, phishing our staff, and denial-of-service testing are not.
In scope: all public-facing infrastructure we operate, including kingfish.la and its subdomains, our newsletter systems, our public document archives, and our tip channels, including our GlobaLeaks tip form.
Out of scope:
- Vulnerabilities in third-party platforms we use (Cloudflare, Google, Mailgun, YouTube, Vimeo) — report those to the vendor.
- Social engineering or phishing of our staff, contributors, or sources.
- Physical attacks against people, offices, or equipment.
- Denial-of-service, volumetric, or resource-exhaustion testing, and automated scanning that degrades service.
- Spam, and issues requiring an unrealistic level of user interaction.
Rules of engagement
Plain language: Take only the access needed to prove the issue exists. If you stumble onto personal data — or anything that looks like source material — stop immediately, don’t copy it, and tell us. Mark any tip-channel tests clearly as tests.
- Access, copy, and retain only the minimum data necessary to demonstrate the vulnerability, and do not maintain persistent access.
- If you encounter personal information — or anything that appears to be journalistic source material — stop immediately, do not copy, store, or share it, and report what you found. This is the single most important rule on this page.
- If you test our tip channels, clearly mark test submissions as security tests, and never attempt to access other people’s submissions.
- Do not destroy data, degrade services, or use a vulnerability for extortion or personal gain beyond recognition under this policy.
Safe harbor
Plain language: If you follow this policy in good faith, we consider your research authorized. We won’t sue you, we won’t refer you to law enforcement, and if someone else comes after you for research we authorized, we’ll say so — loudly.
For security research conducted in good faith and in accordance with this policy:
- We consider your research authorized under applicable anti-hacking laws, including the Computer Fraud and Abuse Act and their state equivalents, and we will not initiate or support legal action against you for it.
- We waive any claim under the Digital Millennium Copyright Act, Section 1201, for circumvention of technological measures as part of your research on our systems.
- We will not refer good-faith research conducted under this policy to law enforcement.
- If a third party initiates legal action against you for research we authorized, we will make it known that your activities were conducted under this policy.
- If you violate this policy accidentally and in good faith, tell us — we will work with you, not against you.
This safe harbor applies only to systems we operate. We cannot authorize research against third-party systems, even ones we use.
Machine-readable contact
Plain language: Security tools and researchers can find our contact details automatically at kingfish.la/.well-known/security.txt.
We publish a security.txt file conforming to RFC 9116 at https://kingfish.la/.well-known/security.txt.
Contact
[email protected] The Kingfish Project, 1924 Albert St, Alexandria, LA 71301