Disclosure policy

We follow coordinated disclosure: vendors receive technical detail before publication, and users receive clear information once a fix or disclosure window is available.

Timeline

• Day 0: private report to the vendor through its security contact or bug bounty program. If no security contact exists, we notify the CERT most relevant to the product's jurisdiction.
• Day 0–30: we answer reasonable questions, provide additional reproduction detail, and review proposed patches when requested.
• Day 90 (default): public disclosure on this site and in any assigned CVE trackers. Extensions are granted when a concrete remediation plan is in progress.
• Active exploitation: disclosure may be accelerated if we find evidence of in-the-wild exploitation, limited to the detail defenders need to act.

Scope of our research targets

We only test systems we are authorized to assess: public demos and APIs within documented limits, products we license, open-source software we can run locally, and targets covered by a vulnerability disclosure or bug bounty program. We do not attempt account takeover against other users, exfiltrate real user data, or damage availability.