Reporting a vulnerability in our systems

If you find a flaw in fuzzmind.io, any of our open-source tooling, or any system we operate: email security@fuzzmind.io (PGP encrypted when sensitive). Please include the evidence below; reports that do not meet this bar may not receive a response.

What every report must include

• A working PoC: script, payload, request, or attached file we can run end-to-end
• The exact version, commit hash, or build you tested against
• Step-by-step reproduction that can be followed without guesswork
• Screenshots and a short screen recording showing the issue against that version
• Concrete impact such as data exposure, code execution, lateral movement, or persistence
• Confirmation that you reproduced the issue end-to-end yourself, not only from static review or model output
• Your preferred credit line (optional)

AI-assisted reports

AI-assisted research is welcome when the finding is manually verified. Unverified model-generated reports are not useful to triage and may be closed without response.

What gets rejected

• Reports that read like raw model output: template phrasing, vague impact, or missing reproduction
• Findings based only on static analysis or LLM code review, with no runtime evidence
• Speculative chains without a working PoC
• Duplicates of public CVEs in upstream dependencies we already track
• Best-practice or hardening recommendations without an exploitable vulnerability

Reports that meet this standard receive acknowledgment within 72 hours and updates through remediation. Persistent low-quality submissions, especially unverified AI-generated reports, may be blocked from this disclosure channel. Safe harbor applies to good-faith research that stays within this policy.

Key information

• /.well-known/security.txt — machine-readable contact and policy
• /pgp.asc — current team PGP public key (fingerprint 9B80 FD6F B83A 1D7A 5F29 53D1 191B 3644 0B65 0C07)