Security & Trust Center
Our security posture, disclosure policies, and contact channels for vulnerability reports.
VULNERABILITY DISCLOSURE POLICY
We operate a coordinated vulnerability disclosure program. Security researchers are encouraged to report vulnerabilities responsibly. We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.
We do not pursue legal action against researchers who report vulnerabilities in good faith and comply with this policy. We request a 90-day disclosure window from the initial report date.
VULNERABILITY DISCLOSURE PROGRAM (VDP)
Our Vulnerability Disclosure Program (VDP) invites security researchers to report vulnerabilities in good faith. We do not offer monetary rewards; we acknowledge contributors in our security hall of fame and work with you to remediate issues before any public disclosure.
Reports are triaged by severity. We follow coordinated disclosure and provide clear response timelines.
| SEVERITY | TARGET RESPONSE | SCOPE |
|---|---|---|
| CRITICAL | < 24 hours | RCE, Auth Bypass, Data Exfil |
| HIGH | < 48 hours | XSS, SSRF, Priv Escalation |
| MEDIUM | < 5 days | CSRF, Info Disclosure |
| LOW | < 10 days | Misconfig, Rate Limiting |
PGP PUBLIC KEY
Use this key to encrypt sensitive communications. All vulnerability reports should be encrypted when containing exploit details or proof-of-concept code.
INFRASTRUCTURE SECURITY
All lab environments run in fully isolated virtual machines with strict network segmentation. Ephemeral instances are destroyed after each session. Zero-trust networking enforced at every boundary.