Skip to content

Security

Found something? Tell us. We answer, and we don't threaten researchers.

If you build tools that assume a hostile network, you invite scrutiny of your own. We want the reports. This page is our coordinated-disclosure policy.

  • 01

    How to report

    Email sam@rusthorn.com, PGP-encrypted preferred. Our public key is published in our DNS TXT record. Include enough to reproduce; a proof-of-concept helps. We acknowledge within 2 business days.

  • 02

    Safe harbour

    Good-faith research conducted under this policy will not be pursued or reported by us. Don't access data that isn't yours, don't degrade service, don't run automated scans that amount to a denial of service, and give us reasonable time to fix before publishing.

  • 03

    Scope & bounty

    In scope: our shipping products and the domains we operate. Out of scope: our fictional-in-nature partner/press content, third-party infrastructure, and social engineering of staff. Bounty tiers are published to reporters on triage; we pay for real, novel findings.

Disclosure. We coordinate a publication date with you and credit you unless you ask us not to. If we disagree with your severity assessment, we say so on the record, we do not silence it.

Machine-readable policy: /.well-known/security.txt.