Responsible Disclosure Policy.

Send your report to [email protected]. Include a clear description of the vulnerability, the affected system or endpoint, and any relevant URLs or parameters. Provide step-by-step reproduction instructions so our team can verify the issue independently. Describe the potential impact or severity as you understand it. Include your contact information so we can follow up with questions or status updates.

If you need encrypted communication, request our PGP key at the same address. We will provide it promptly. Please avoid accessing, modifying, or deleting data belonging to other users during your research. Do not publicly disclose vulnerability details before coordinated disclosure is complete. Reports that include proof-of-concept code, screenshots, or network captures help our team triage faster and reduce the time to remediation.

We accept reports for any vulnerability class: authentication bypasses, authorization flaws, injection vulnerabilities, cryptographic weaknesses, information disclosure, misconfigurations, and any other issue that could compromise the confidentiality, integrity, or availability of our systems or user data. If you are unsure whether an issue qualifies, report it. We would rather receive a report that turns out to be a non-issue than miss a legitimate vulnerability because a researcher hesitated.

We acknowledge receipt of your report within 48 hours. This acknowledgment confirms that your report has been received, assigned a tracking identifier, and queued for triage. Triage and initial assessment occur within 5 business days. During triage, our security team reproduces the reported issue, evaluates its severity, and determines the appropriate remediation path.

You receive status updates at least every 10 business days until the issue is resolved. Updates include current remediation status, any questions our team has about the report, and estimated timelines for resolution. We do not leave reporters waiting without communication. If remediation requires longer than initially estimated, we explain why and provide a revised timeline.

We coordinate disclosure with you after remediation is complete. Coordinated disclosure means we agree on a date to publicly disclose the vulnerability details, giving our team sufficient time to deploy fixes and giving affected users time to update. We credit researchers in our disclosure communications unless anonymity is requested. Our goal is to resolve reported vulnerabilities promptly, transparently, and in partnership with the researcher who identified them.

The following assets are in scope for this policy: redoubtforge.com, *.redoubtforge.com, and the Redoubt Forge platform including all web applications, APIs, and authentication systems operated by Redoubt LLC. Vulnerabilities discovered in any of these assets qualify for responsible disclosure under this policy. Research conducted against in-scope assets in accordance with this policy is authorized.

The following activities and targets are out of scope. Social engineering attacks against employees, contractors, or users. Denial of service attacks, including volumetric, protocol, and application-layer attacks. Physical security testing of offices, data centers, or other facilities. Third-party services, integrations, and hosted platforms not owned or operated by Redoubt LLC. Vulnerabilities in upstream dependencies should be reported to the maintainer of that dependency, not to Redoubt Forge, unless the vulnerability is specific to our integration or configuration of that dependency.

Automated scanning that generates excessive traffic, degrades service availability, or impacts other users is not authorized under this policy. We ask researchers to limit the rate and scope of automated testing to avoid disrupting production services. If your research methodology requires higher-volume testing, contact us first to arrange a testing window. Research against staging or non-production environments is preferred when available.

Good-faith security research conducted in accordance with this policy is considered authorized activity. We will not pursue civil or criminal legal action against researchers who comply with this policy, act in good faith, and report their findings through the designated channel. This authorization extends to activities that might otherwise constitute a violation of applicable anti-hacking laws, provided the researcher adheres to the scope and conduct requirements described in this policy.

If a third party initiates legal action against you for activities that were conducted in compliance with this policy, we will take steps to make it known that your actions were authorized under our responsible disclosure program. We will provide documentation of that authorization to support your defense. We consider security research conducted under this policy to be a valuable contribution to the security of our platform and the organizations that depend on it.

This safe harbor applies only to legal claims under the control of Redoubt LLC. It does not bind other parties. We encourage researchers to consult their own legal counsel if they have questions about how their research activities interact with applicable laws in their jurisdiction. To maintain safe harbor protection, researchers must avoid accessing data belonging to other users, avoid disrupting services for other users, and report findings exclusively through the designated reporting channel before any public disclosure.

Researchers who responsibly disclose verified vulnerabilities are recognized on our Security Acknowledgments page. Recognition includes the researcher's name (or preferred alias), the date of disclosure, and a general description of the vulnerability category. We believe that acknowledging researchers publicly reinforces the value of responsible disclosure and encourages continued participation from the security community.

If you prefer to remain anonymous, let us know in your initial report or at any point before publication. We respect researcher preferences regarding attribution. Recognition is offered for all verified vulnerabilities regardless of severity. Every valid report contributes to the security of our platform and the organizations that rely on it.

Your contribution strengthens our defenses. Responsible disclosure is a partnership: researchers identify issues, our team remediates them, and the security posture of the platform improves for every user. We are grateful to every researcher who takes the time to investigate, document, and report vulnerabilities through this program.