Safe harbor
We will not pursue or support legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to respond.
Contact & disclosure
Open a secure channel
Use the form to start a conversation, or reach us directly over PGP. We triage every inbound report and aim to acknowledge within 72 hours.
Disclosure policy
Coordinated vulnerability disclosure
This is the policy we follow when we report to others, and the one we ask researchers to follow when reporting to us.
Scope
Reports should concern hardware, firmware, or systems we research or publish on. Please do not test against any live third-party infrastructure.
The window
Our default is 90 days from acknowledgment to public disclosure. We will extend in good faith when a fix is in progress, and shorten only if a flaw is being actively exploited.
What helps
A clear description, affected versions, reproduction steps, and your assessment of impact. A minimal proof of concept speeds validation enormously.
What we publish
Once coordinated, we publish a technical advisory with remediation guidance. We credit reporters by their preferred name or handle, or anonymously on request.
No bounty
We are an independent collective, not a bug-bounty program. We do not pay for reports, but we always credit good work.