Vulnerability Disclosure Policy
Effective: 2026-02-24
Applicability
This policy applies to:
- Projects in the Exosphere GitLab namespace https://gitlab.com/exosphere.
- The Exosphere hosted sites as enumerated in the Acceptable Use Policy.
- The
exosphere.appdomain name, DNS, and everything that is served within it.
If you are reporting a vulnerability in a third-party deployment of Exosphere that is not operated by the Exosphere project, please report it to that deployment's operators.
Reporting
How to Report
Please create a new issue in the Exosphere GitLab project and turn on confidentiality:
- Create a new issue.
- Check the "Turn on confidentiality" checkbox before submitting.
If you cannot use GitLab, contact maintainers directly:
- Message maintainers on Matrix (if needed, start in #exosphere:matrix.org and ask to move to a private room without posting vulnerability details publicly).
- Send email to one or both of these addresses (replace
%):- Replace
%withi:jul%an@jul%anp%stor%us.com - Replace
%withe:t%%.kyl%@gmail.com
- Replace
Response Timeline
When possible, we will:
- Acknowledge receipt within 7 calendar days.
- Request additional details if needed.
- Provide status updates at least every 14 calendar days while a report is active.
Resolution time depends on severity, scope, and maintainer capacity.
Escalation
If you do not receive an acknowledgement within 7 calendar days:
- Re-send your report to both maintainer email addresses above.
- Include
SECURITY REPORT ESCALATIONin the subject line. - If needed, ask in #exosphere:matrix.org for a private channel without posting vulnerability details publicly.
Please do not disclose vulnerabilities publicly before we have had a reasonable chance to investigate and address them.
What to Include in a Report
Please include as much of the following as you can:
- A short summary of the suspected vulnerability.
- Affected component, URL, and version/commit (if known).
- Steps to reproduce.
- Evidence (request/response samples, screenshots, logs, or proof-of-concept).
- Estimated scope, severity, and impact (what an attacker can do).
If you used AI-assisted tools, include a short self-certification that you reviewed and validated the reported behavior to the best of your ability.
Good-Faith Research and Safe Harbor
If you make a good-faith effort to follow this policy, we will not pursue legal action against you for your security research.
Please:
- Do not exploit vulnerabilities beyond the minimum steps required to confirm and demonstrate them.
- Do not access, modify, or delete data that is not your own.
- Do not intentionally disrupt services, degrade availability, or harm users.
- Stop testing and report promptly after you confirm a plausible vulnerability.
This policy does not authorize actions that violate law or regulations.