Security

Version v1.0.0 Last updated 2026-02-22

Vulnerability Disclosure

How to report security vulnerabilities to the Ethotechnics Institute, what systems are in scope, and our response timelines.

Responsible disclosure

Report quietly, remediate quickly

Use this process for security findings. Include reproducible evidence so we can validate and fix with minimal back-and-forth.

Scope

Systems covered by this policy

Report vulnerabilities affecting the public website, APIs, and published machine-readable standards artifacts.

  • In scope: ethotechnics.org pages and static assets.
  • In scope: repository code and generated artifacts hosted on this domain.
  • Out of scope: third-party services not controlled by the institute.
  • Out of scope: purely theoretical findings without a reproducible proof.

Reporting channel

How to submit a vulnerability report

Send one report per issue so triage and remediation clocks stay explicit.

  • Email security@ethotechnics.org with the subject line [Vulnerability report].
  • Include impact summary, affected URL/path, reproducible steps, and suggested remediation if available.
  • For low-risk issues, you may also use the contact form and reference this disclosure policy.
  • Canonical machine-readable record: /.well-known/security.txt.

Timelines

Expected response and remediation windows

These targets apply once a complete report is received.

Stage Target What you can expect
Acknowledgment Within 2 business days Confirmation that the report was received and entered into triage.
Triage decision Within 5 business days Severity classification and whether additional evidence is needed.
Remediation plan Within 10 business days Fix timeline, temporary mitigations, and disclosure coordination details.

Safe harbor

Good-faith research protections

We will not pursue action against good-faith researchers following this policy.

  • Avoid privacy violations, data destruction, and service disruption.
  • Do not exfiltrate data beyond what is needed to demonstrate impact.
  • Give us a reasonable remediation window before public disclosure.

Recognition

Disclosure outcomes

With your permission, we can credit your report in release notes or incident documentation.

We appreciate responsible disclosure. If you want attribution, include your preferred name and profile URL in your initial report.