Disclosure Policy
How we disclose what we find
We report privately to the maintainer or the program first, through their preferred channel: GitHub security advisories, bug bounty platforms, or security contacts published in security.txt files.
We give maintainers a standard window to fix, typically 90 days, and we are flexible when a fix is genuinely in progress. We publish details only after a fix ships or the window closes. Proofs of concept are minimal: enough to demonstrate the issue, never weaponized tooling.
How to report an issue to us
If you find a problem in anything we run or publish, write to [email protected], encrypted if you prefer (PGP key). We read everything, we respond, and we credit you if you want credit.
We will not pursue anyone acting in good faith: testing within reason, no data taken beyond what proves the point, no disruption. Tell us what you found and we will fix it.