Responsible disclosure.
This policy skeleton describes how to report vulnerabilities in BleedWatch systems. Founder must confirm the final safe-harbor language, PGP key, and reward posture before launch.
In-scope assets
labs.bleedwatch.com and bleedwatch.com. Additional assets may be accepted only when explicitly acknowledged by [email protected].
Reporting channel
Send reports to [email protected]. Include affected asset, reproduction steps, impact, timestamps, and your preferred acknowledgment name. PGP fingerprint is a launch placeholder pending founder confirmation.
Safe harbor
We will not pursue legal action for good-faith research that avoids privacy harm, service disruption, persistence, extortion, social engineering, and data exfiltration beyond what is necessary to prove the issue.
Out of scope
Spam, denial-of-service, automated high-volume scanning, physical attacks, social engineering, and reports requiring access to another user's private data are out of scope.
Rewards
Current reward structure is acknowledgment and swag where appropriate. Monetary bounties are not committed for v1 and must not be implied.
Publication
Public disclosure requires written coordination with BleedWatch. We aim to acknowledge valid reports quickly and provide a reasonable remediation timeline.