What to include
Describe the affected URL or system, the observed behavior, reproduction steps, potential impact and any supporting evidence. Use the subject line “Responsible Disclosure Report.” Do not include unnecessary personal data or protected third-party information.
Good-faith research
Limit testing to systems you are authorized to assess. Avoid privacy violations, social engineering, physical intrusion, service disruption, destructive actions, automated high-volume traffic, data extraction beyond the minimum proof, or accessing another person’s account.
Protecting sensitive findings
Do not publish or share a suspected vulnerability before we have had a reasonable opportunity to investigate and address it. If a report could expose protected architecture, physical security details or sensitive partner information, begin with a minimal description so a controlled communication path can be established.
Our process
We will review credible reports, seek clarification when needed and prioritize according to potential impact and exploitability. Response and remediation timing depends on scope, complexity and affected systems. This page does not create a bug-bounty program or promise compensation.
Out of scope
Reports limited to missing best-practice headers without demonstrated impact, self-XSS, clickjacking on pages without sensitive actions, rate-limit observations without a security consequence, automated scanner output without validation, or third-party services outside our control may not receive individual follow-up.