Research Policy | Nullform.sh

When we find a vulnerability, we follow coordinated disclosure. The goal is straightforward: give the vendor enough time to fix the issue before anything becomes public.

Scope

All research is conducted against publicly accessible surfaces: web applications, public APIs, and openly available interfaces. We do not bypass access controls, compromise credentials, or run exploits. We do not perform actions that could destabilize a system or cause harm to its operators or users.

Where a misconfiguration exposes further access, we follow the access chain to establish the full scope of impact. This is necessary to produce an accurate report.

When personal data is encountered during research, it is systematically redacted by our tooling. We retain only what is necessary to document the finding.

Process

We make initial contact through the most appropriate channel we can find: a security contact, a security.txt file, or a responsible disclosure program. If none of those exist, we fall back to a general contact. Reports are sent from [email protected].

The initial report includes a description of the vulnerability, an assessment of impact, and redacted evidence sufficient to verify the issue. For vendors who want a comprehensive assessment with detailed reproduction steps and remediation guidance, we offer this as a consulting engagement.

For significant vulnerabilities, we report findings to NCSC-FI (Finland's National Cyber Security Centre) in parallel with the vendor notification.

Timeline

We give vendors 90 days from the initial report to release a fix. This is a starting point, not a hard deadline. We are willing to extend it if the vendor is actively working on a fix and communicating with us.

If we receive no response within 14 days of the initial report, we follow up. If there is still no response after 30 days, we ask NCSC-FI to assist in establishing contact with the vendor.

We reserve the right to disclose earlier if we believe the vulnerability is being actively exploited in the wild.

Publication

After the fix has been deployed, or after the disclosure window has passed, we may publish a write-up on our blog. Write-ups focus on the technical details: what the bug was, why it existed, and how it was fixed.

We do not name vendors or include details that would make them identifiable.

Reporting to us

If you have found a security issue in something we operate, we want to hear about it. If you have findings you wish to disclose to us, we are happy to receive them. Send details to [email protected]. Our PGP key is available at nullform.sh/nullform.asc.

We will not take legal action against anyone who reports a vulnerability in good faith and does not cause harm.