Coordinated vulnerability disclosure

Report safely. Preserve users. Fix the root cause.

How to report

Email security@reaperci.dev with the affected component and version, impact, prerequisites, minimal reproduction, and a safe contact method. Use an encrypted attachment only after coordinating a key. Never send production credentials, private keys, customer content, or exploit data unrelated to the finding.

In scope

Rules of engagement

Use only accounts and infrastructure you own or have explicit permission to test. Minimize access, stop after proving impact, avoid persistence, do not alter or delete data, do not degrade availability, and give ReaperCI a reasonable remediation period before disclosure. Social engineering, physical attacks, denial of service, automated high-volume scanning, third-party provider testing, and customer-tenant testing are not authorized.

Safe harbor

When research follows this policy, is intended to improve security, and complies with applicable law, ReaperCI will treat it as authorized, will not initiate legal action for the research, and will work to clarify ambiguity. This safe harbor cannot bind third parties or excuse unrelated unlawful conduct.

Response targets

Targets are not a bug-bounty promise or production SLA. ReaperCI does not currently offer monetary rewards.

Disclosure

Coordinate publication timing and content so users can update safely. ReaperCI will publish advisories for material released-product issues, including affected versions, impact, mitigations, fixed versions, and credit. If communication stops or users face imminent harm, contact us again before disclosing.

← Security and trust