The Hidden Jewel · Tucson, Arizona

Vulnerability Disclosure Policy

Effective April 28, 2026

We take the security of The Hidden Jewel website and the personal information of our guests seriously. If you believe you have found a security vulnerability on our site, we encourage you to let us know so we can address it promptly. We appreciate responsible disclosure and will work with you in good faith.

1. Scope

This policy applies to security vulnerabilities found on the following:

hiddenjeweltucson.com — the primary guest-facing website

This policy does not apply to third-party services we use (such as Google, payment processors, or booking platforms). Please report vulnerabilities in those services directly to their respective security teams.

2. How to Report

Send your report by email to:

Email: precizionworkz@gmail.com
Subject line: Security Vulnerability Report — The Hidden Jewel

Please include the following in your report:

A description of the vulnerability and its potential impact
The URL or area of the site where the issue was found
Step-by-step instructions to reproduce the issue
Any supporting screenshots, videos, or proof-of-concept (non-destructive only)
Your name or alias (optional — anonymous reports are accepted)

3. What to Expect

After you submit a report we will:

Acknowledge receipt within 3 business days
Assess the report and follow up with our findings
Work to resolve confirmed issues as quickly as reasonably possible
Notify you when the issue has been addressed, if you provided contact information

We do not currently offer monetary rewards (bug bounties) for vulnerability reports, but we genuinely appreciate responsible disclosures and will acknowledge your contribution if you wish.

4. Responsible Disclosure Guidelines

We ask that you:

Give us reasonable time to investigate and remediate before publicly disclosing the issue
Avoid accessing, modifying, or deleting data that does not belong to you
Avoid disrupting or degrading the site for other users
Act in good faith and comply with all applicable laws

We will not take legal action against researchers who discover and report vulnerabilities in accordance with this policy.

5. Out of Scope

The following are considered out of scope and should not be tested or reported:

Denial-of-service (DoS/DDoS) attacks or any testing that degrades site availability
Social engineering or phishing attempts against staff or guests
Physical security issues
Spam or email flooding
Vulnerabilities that require physical access to a user's device
Issues in third-party services outside our control

6. Governing Law

This policy is governed by the laws of the State of Arizona, United States. Any disputes arising under this policy shall be resolved in the courts of Pima County, Arizona.

7. Contact

For all security-related inquiries:
Email: precizionworkz@gmail.com
Property: The Hidden Jewel, Tucson, Arizona