Research Policy | Nullform.sh

When we find a vulnerability, we follow coordinated disclosure. The goal is straightforward: give the vendor enough time to fix the issue before anything becomes public.

Scope

All research is conducted against publicly accessible surfaces: web applications, public APIs, and openly available interfaces. We do not seek to gain persistent access to systems, exfiltrate data, or take actions intended to disrupt availability. We do not perform actions reasonably expected to destabilize a system or cause harm to its operators or users.

Where a misconfiguration exposes further access, we may examine the scope of that exposure to produce an accurate report. We do not authenticate to additional systems or escalate privileges beyond what is necessary to verify the finding.

When personal data is encountered during research, it is systematically redacted by our tooling. We retain only the minimum necessary to document the finding, and delete research data once disclosure is complete.

Process

We make initial contact through the most appropriate channel we can find: a security contact, a security.txt file, or a responsible disclosure program. If none of those exist, we fall back to a general contact. Reports are sent from [email protected].

The initial report includes a description of the vulnerability, an assessment of impact, and redacted evidence sufficient to verify and remediate the issue. For vendors who want a comprehensive assessment with full reproduction steps, root cause analysis, and remediation guidance, we offer this as a consulting engagement. Non-profit organizations are not charged.

For significant vulnerabilities, we report findings to the appropriate national cyber security centre, such as NCSC-FI, in parallel with the vendor notification.

Timeline

We give vendors 90 days from the initial report to release a fix. This is a starting point, not a hard deadline. We are willing to extend it if the vendor is actively working on a fix and communicating with us.

If we receive no response within 14 days of the initial report, we follow up. If there is still no response after 30 days, we ask NCSC-FI to assist in establishing contact with the vendor.

If there is evidence that a vulnerability is being actively exploited, we will notify NCSC-FI immediately and work with the vendor to compress the remediation timeline.

Publication

After the fix has been deployed, or after the disclosure window has passed, we may publish a write-up on our blog. Write-ups focus on the technical details: what the vulnerability was, why it existed, and what remediation looks like.

As a general practice, we do not name vendors or include details that would make them identifiable.

Reporting to us

If you have found a security issue in something we operate, we want to hear about it. If you have findings you wish to disclose to us, we are happy to receive them. Send details to [email protected]. Our PGP key is available at nullform.sh/nullform.asc.

We will not take legal action against anyone who reports a vulnerability in good faith, acts consistent with this policy, and does not cause harm.