Vulnerability Disclosure
How to report security vulnerabilities to the Ethotechnics Institute, what systems are in scope, and our response timelines.
Responsible disclosure
Report quietly, remediate quickly
Use this process for security findings. Include reproducible evidence so we can validate and fix with minimal back-and-forth.
Jump to
Key sections
Scope
Systems covered by this policy
Report vulnerabilities affecting the public website, APIs, and published machine-readable standards artifacts.
- In scope:
ethotechnics.orgpages and static assets. - In scope: repository code and generated artifacts hosted on this domain.
- Out of scope: third-party services not controlled by the institute.
- Out of scope: purely theoretical findings without a reproducible proof.
Reporting channel
How to submit a vulnerability report
Send one report per issue so triage and remediation clocks stay explicit.
- Email security@ethotechnics.org with the subject line [Vulnerability report].
- Include impact summary, affected URL/path, reproducible steps, and suggested remediation if available.
- For low-risk issues, you may also use the contact form and reference this disclosure policy.
- Canonical machine-readable record: /.well-known/security.txt.
Timelines
Expected response and remediation windows
These targets apply once a complete report is received.
| Stage | Target | What you can expect |
|---|---|---|
| Acknowledgment | Within 2 business days | Confirmation that the report was received and entered into triage. |
| Triage decision | Within 5 business days | Severity classification and whether additional evidence is needed. |
| Remediation plan | Within 10 business days | Fix timeline, temporary mitigations, and disclosure coordination details. |
Safe harbor
Good-faith research protections
We will not pursue action against good-faith researchers following this policy.
- Avoid privacy violations, data destruction, and service disruption.
- Do not exfiltrate data beyond what is needed to demonstrate impact.
- Give us a reasonable remediation window before public disclosure.
Recognition
Disclosure outcomes
With your permission, we can credit your report in release notes or incident documentation.
We appreciate responsible disclosure. If you want attribution, include your preferred name and profile URL in your initial report.