Coordinated vulnerability disclosure
Report safely. Preserve users. Fix the root cause.
Effective July 11, 2026. This policy authorizes good-faith research within the scope and rules below.
How to report
Email security@reaperci.dev with the affected component and version, impact, prerequisites, minimal reproduction, and a safe contact method. Use an encrypted attachment only after coordinating a key. Never send production credentials, private keys, customer content, or exploit data unrelated to the finding.
In scope
- Public ReaperCI core, CLI, connector, installer, images, and release pipeline
- ReaperCI-managed domains and services explicitly owned by the operator
- Authentication, authorization, tenant isolation, secret handling, approvals, audit integrity, connector command boundaries, and supply-chain verification
- Reports demonstrating material data exposure, deployment-safety bypass, remote execution, or cross-tenant impact
Rules of engagement
Use only accounts and infrastructure you own or have explicit permission to test. Minimize access, stop after proving impact, avoid persistence, do not alter or delete data, do not degrade availability, and give ReaperCI a reasonable remediation period before disclosure. Social engineering, physical attacks, denial of service, automated high-volume scanning, third-party provider testing, and customer-tenant testing are not authorized.
Safe harbor
When research follows this policy, is intended to improve security, and complies with applicable law, ReaperCI will treat it as authorized, will not initiate legal action for the research, and will work to clarify ambiguity. This safe harbor cannot bind third parties or excuse unrelated unlawful conduct.
Response targets
- Acknowledge a complete report within three business days
- Provide an initial severity and scope assessment within seven business days
- Send a status update at least every fourteen days while remediation is open
- Prioritize confirmed critical issues for immediate containment and coordinated release
- Credit the reporter when requested and legally permissible
Targets are not a bug-bounty promise or production SLA. ReaperCI does not currently offer monetary rewards.
Disclosure
Coordinate publication timing and content so users can update safely. ReaperCI will publish advisories for material released-product issues, including affected versions, impact, mitigations, fixed versions, and credit. If communication stops or users face imminent harm, contact us again before disclosing.