Proper Tools
Hard Problems Made Legible

Security Policy

Proper Tools is a small consultancy. Our attack surface is correspondingly modest: a static website, email, and the professional relationships we maintain.

We take the security of all three seriously.

Security is not a feature. It is a practice.

Reporting a Vulnerability

If you've identified a security issue affecting:

  • propertools.be
  • or any published Proper Tools material

Please contact:

security@propertools.be

If that address is unresponsive, use:

hello@propertools.be

We will acknowledge your report within 48 hours and aim to provide a substantive response within 5 business days.

If the issue presents active risk, say so clearly in your subject line.

If you’re looking for security.txt, you already know where to check: /.well-known/.

What We Ask of Reporters

Be specific. Tell us:

  • what you found
  • how you found it
  • what the likely impact is

Reproduction steps help. Screenshots help. Clarity helps.

We will not pursue legal action against good-faith security researchers.

(Legal action really isn't our style anyway.)

What We Commit To

Honest acknowledgment. If you find something real:

  • We will say so.
  • We will fix it.
  • We will credit you (unless you prefer anonymity).

We do not operate a formal bug bounty program. We do offer:

  • gratitude
  • public acknowledgment if desired
  • and the quiet satisfaction of helping a resilience consultancy practice what it preaches

On “Secure by Design”

There is no such thing as perfectly secure software.

This is not pessimism. It is mathematics.

In 1936, Alan Turing proved that no program can determine, in all cases, whether other programs will halt. In 1931, Kurt Gödel proved that any sufficiently powerful formal system contains truths it cannot prove.

Translated:

  • You cannot eliminate all bugs.
  • You cannot prove all correctness.
  • You cannot design away all failure modes.

Security is not the absence of defects. It is the disciplined management of inevitable imperfection.

Which means:

  • We design for resilience.
  • We design for detection.
  • We design for recovery.
  • We assume compromise is possible.
  • We assume every tool is dual-use.
  • Perfection is not achievable.

This is not defeatism. This is engineering.

Scope

In scope:

  • propertools.be
  • resources published under the Proper Tools name

Out of scope:

  • third-party services (Buttondown, GitHub, etc.) — please report issues with those services to their respective security teams.

Coordinated Disclosure

We prefer coordinated disclosure.

If you are considering public disclosure, please contact us first so we can:

  • assess impact
  • remediate responsibly
  • coordinate timing

We will not request indefinite silence. We will request reasonable time.

Resilience is a stance toward entropy.