Responsible Disclosure Policy
Effective date: June 2026
Purpose
Expose Security Research conducts good-faith security research to help organizations identify, understand, and remediate serious vulnerabilities before attackers abuse them. Public disclosure is used only after private notice and a reasonable opportunity to respond.
Research Modes
Our work is limited to passive observation of publicly accessible systems and authorized engagements with written permission. Active testing, authenticated testing, private-system access, or testing of third-party systems requires explicit authorization from the organization with authority over those systems.
Prohibited Activity
We do not perform destructive testing, persistence, malware deployment, denial-of-service, credential stuffing, brute force attacks, social engineering, phishing, spam, physical intrusion, payment bypass, or bulk data extraction. We do not access more data than is necessary to confirm and document a finding.
Evidence Minimization
Evidence is limited to the minimum needed to prove existence, impact, and remediation path. We avoid collecting raw personal data, credentials, secrets, regulated data, or customer content. Where sensitive data is unavoidable, we redact, summarize, or mask it whenever practical.
Private Notice
When we identify a serious issue, we attempt private notification through available security contacts, published disclosure channels, support channels, executive contacts, or verified ownership contacts. We may request proof of authority before sharing sensitive technical detail.
Disclosure Timeline
The standard disclosure window is 30 days from private notice, but the team may use shorter or longer countdowns depending on severity, exploitability, user safety, evidence sensitivity, and owner engagement. Statuses such as reached out, acknowledged, in remediation, fixed, closed, blacklisted, and countdown expired are managed through the team portal.
Payment Independence
We do not demand payment as a condition of non-disclosure, delay, or silence. Paid services cover professional documentation, triage support, remediation guidance, and verification. Organizations may receive an initial safety notification without purchasing a paid report.
Public Content
Public registry or blacklist entries may include organization name, domain, finding category, severity, notice date, deadline status, owner response status, and resolution status. We do not publish private reports, credentials, private user data, exploit-ready instructions, or sensitive evidence.
Blacklist Criteria
A case may appear on the public blacklist when a disclosure countdown expires without adequate response or remediation, or when the team manually escalates a case based on unresolved critical risk after private notice. Blacklist placement is a status record, not publication of private evidence.
Corrections and Appeals
Organizations may request correction, status update, dispute review, or removal by contacting security@exposesecurity.online. We will review credible ownership claims, remediation evidence, mistaken identity claims, duplicate listings, and requests to correct inaccurate public status details.
Good Faith Conduct
All research is conducted in good faith with the sole purpose of improving security. This policy describes our conduct but does not grant legal safe harbor from third parties. Written authorization is required before testing any system that is not publicly accessible or owned by the authorizing client.
Legal Compliance
Expose Security Research conducts research in accordance with responsible disclosure principles recognized internationally. We do not access private systems without explicit written authorization, and we limit research to the least intrusive methods reasonably available.
Contact
For security matters, correction requests, ownership verification, or disclosure coordination, contact security@exposesecurity.online.