Security
Found something? Tell us. We answer, and we don't threaten researchers.
If you build tools that assume a hostile network, you invite scrutiny of your own. We want the reports. This page is our coordinated-disclosure policy.
-
01
How to report
Email sam@rusthorn.com, PGP-encrypted preferred. Our public key is published in our DNS TXT record. Include enough to reproduce; a proof-of-concept helps. We acknowledge within 2 business days.
-
02
Safe harbour
Good-faith research conducted under this policy will not be pursued or reported by us. Don't access data that isn't yours, don't degrade service, don't run automated scans that amount to a denial of service, and give us reasonable time to fix before publishing.
-
03
Scope & bounty
In scope: our shipping products and the domains we operate. Out of scope: our fictional-in-nature partner/press content, third-party infrastructure, and social engineering of staff. Bounty tiers are published to reporters on triage; we pay for real, novel findings.
Disclosure. We coordinate a publication date with you and credit you unless you ask us not to. If we disagree with your severity assessment, we say so on the record, we do not silence it.
Machine-readable policy: /.well-known/security.txt.