Responsible Disclosure Policy
Last Updated: March 7, 2026
At Researcherlian Security Research, we believe in the importance of coordinated vulnerability disclosure. This policy outlines our commitment to working with security researchers who discover vulnerabilities in our systems or in systems we test on behalf of clients.
For Researchers Reporting to Us
If you discover a vulnerability in Researcherlian's systems:
1. Report
Send details to researcherlian@gmail.com including steps to reproduce, impact assessment, and your contact information.
2. Acknowledge
We will acknowledge receipt within 24-48 hours and begin investigation.
3. Investigate
Our team will validate and assess the vulnerability.
4. Remediate
We develop and deploy fixes based on severity.
5. Credit
With your permission, we credit you in our security acknowledgments.
6. Disclose
After remediation, we coordinate public disclosure.
For Vulnerabilities in Client Systems
If you discover a vulnerability in a system we tested:
Please report directly to the system owner first. If you're unable to reach them or need assistance with responsible disclosure, contact us at researcherlian@gmail.com and we'll help coordinate.
Our Responsible Disclosure Principles
What We Promise
- Prompt Acknowledgment: We'll confirm receipt within 48 hours
- Fair Investigation: All reports are investigated thoroughly
- Timely Remediation: We prioritize based on severity:
- Critical: 24-48 hours
- High: 3-5 business days
- Medium: 10-14 business days
- Low: Next release cycle
- Credit Where Due: We acknowledge researchers who follow responsible disclosure (with permission)
- Safe Harbor: We won't pursue legal action against researchers who follow this policy
What We Ask
- Report Privately: Give us reasonable time to fix before public disclosure
- Provide Details: Clear steps to reproduce helps us fix faster
- Be Ethical: Don't exploit vulnerabilities beyond proof of concept
- Respect Privacy: Don't access or exfiltrate user data
- No Disruption: Avoid testing that could impact service availability
Safe Harbor
- Authorized access to our systems
- Good-faith security research
- Exempt from legal action or DMCA notices
This safe harbor applies as long as you follow this policy and don't intentionally harm systems or users.
Out of Scope
The following are not eligible under this policy:
- Denial of Service (DoS) attacks
- Physical security attacks
- Social engineering of employees
- Spam, phishing, or brute force attacks
- Vulnerabilities in third-party systems
- Previously reported vulnerabilities
- Theoretical vulnerabilities without proof of concept
What We Don't Consider Legitimate
- Extortion or threats to disclose without giving us time to fix
- Public disclosure without coordination
- Excessive testing that impacts system availability
- Data theft or exfiltration
Recognition
We value the security research community. Valid reports may receive:
- Public acknowledgment in our Hall of Fame (with permission)
- Letters of appreciation
- Invitations to private bug bounty programs
- Swag and recognition at security conferences
Note: We currently do not operate a paid bug bounty program, but we greatly appreciate coordinated disclosure.
PGP Encryption
For sensitive vulnerability reports, please encrypt with our PGP key:
Version: Keybase OpenPGP v1.0.0
xsFNBmK... (full key available on request)
-----END PGP PUBLIC KEY BLOCK-----
Disclosure Timeline Guidelines
Standard Timeline:
- Day 0: Report received and acknowledged
- Day 1-7: Investigation and validation
- Day 8-30: Fix development and testing
- Day 31-45: Patch deployment
- Day 46-60: Coordinated public disclosure
Critical vulnerabilities may be fixed faster; complex issues may take longer. We'll keep you updated throughout.
Report a Vulnerability
To report a vulnerability:
- Email: researcherlian@gmail.com
- PGP Fingerprint: 1234 5678 9ABC DEF0 1234 5678 9ABC DEF0 1234 5678
- Response Time: Within 24-48 hours
We look forward to working with you to make the digital world more secure.