/disclosure

Vulnerability Disclosure Policy

This policy defines how jankesec researches, reports, and coordinates vulnerability disclosures in alignment with ISO 29147 and responsible disclosure best practices.

Safe Harbor

When conducting authorized vulnerability research, jankesec operates within the bounds of applicable laws and the explicit scope defined by the target organization. Research activities are non-destructive, documented, and designed to minimize operational impact.

Any organization that receives a vulnerability report from jankesec agrees to consider the research as authorized and conducted in good faith. jankesec will not pursue legal action against organizations that act in good faith to remediate reported issues, and expects the same consideration in return.

Disclosure Timeline

Day 0 Vulnerability discovered, documented, and internally validated

Day 0–3 Initial notification sent to vendor or affected party with technical details and reproduction steps

Day 3–30 Active coordination period — support remediation, answer technical questions, validate patches

Day 30–90 Remediation verification. Extension negotiable for complex or deeply embedded issues

Day 90+ Public disclosure — CVE assignment, technical write-up published on jankesec.com

The default disclosure window is 90 days from initial notification. Extensions are granted when the vendor demonstrates active, good-faith remediation progress. Critical or actively-exploited vulnerabilities may follow an accelerated timeline.

Report Requirements

To ensure efficient triage and remediation, all reports submitted to jankesec or received from jankesec include the following structured information:

Asset: Affected product, version, and deployment context
Context: Tested account role, privilege level, and configuration state
Evidence: Exact HTTP request/response pairs, timestamps, and reproduction environment
Impact: Technical and business impact assessment with exploitability constraints
Remediation: Suggested fix, patch guidance, or compensating controls

Scope & Boundaries

Research is conducted exclusively on systems within the authorized testing scope. The following activities are explicitly out of scope for all jankesec research:

Destructive payloads or denial-of-service attacks in production environments
Exfiltration, modification, or deletion of production customer data
Credential harvesting beyond what is necessary to demonstrate impact
Exploit chains extending beyond the authorized asset boundary
Social engineering, phishing, or physical security testing without explicit written authorization

Contact

For vulnerability reports, coordination requests, or questions about this policy:

Email: jankesec@protonmail.com

PGP: FF0A 7D83 6751 CCE3 F9CC F574 FCF8 39FB 7F00 4626

Security.txt: /.well-known/security.txt