xerod conducts independent security research. This document describes how we handle vulnerabilities we discover in third-party products, and how external researchers can report issues affecting xerod.
Reporting to xerod
- Contact
- info@xerod.io
- PGP key
- View full public key
- Fingerprint
- 5C0F 3F54 8DF9 F023 A75E A6FB 7E6C 1114 E7EC A6F5
- security.txt
- /.well-known/security.txt
Encrypt reports with our PGP key. Include affected product, version, reproduction steps, and impact. We acknowledge within 3 business days and provide a triage decision within 10 business days.
Our disclosure timeline (when we report to vendors)
We follow a 90-day coordinated disclosure policy consistent with industry practice. The clock starts on the date we notify the vendor through a reasonable channel.
| Day | Event |
|---|---|
| 0 | Vendor notified with technical details. |
| +7 | Escalation if no acknowledgement received. |
| +90 | Default public disclosure date. |
| +104 | Maximum extension (14 days) when vendor is actively remediating. |
Early disclosure may occur if the vulnerability is being exploited in the wild, if the vendor discloses first, or if the vendor acts in bad faith. Late disclosure may be granted, in writing, when a fix is scheduled and progress is demonstrable.
Publication
Advisories are published at /advisories/. Each advisory ships as:
- an HTML page with full technical detail;
- a canonical plain-text
.txtrendering; - a detached PGP signature
.txt.asc; - a CSAF 2.0
.jsondocument for machine consumption.
Published advisories are immutable: corrections become new numbered revisions with a visible changelog on the advisory page.
Proof-of-concept code
We publish PoC material only when it aids defenders more than attackers: after a fix is available, after sufficient time has passed, or when existing public exploitation justifies it. Withheld PoCs are labeled as such with a short rationale.
Safe harbor (for researchers reporting to xerod)
Good-faith security research conducted under this policy will not result in legal action from xerod. "Good faith" means: no data destruction, no service disruption, no accessing data beyond what is needed to demonstrate the issue, and no public disclosure before agreed timelines.
Scope
In scope: any xerod-owned domain, product, or service. Out of scope: denial-of-service testing, social engineering of xerod staff, physical attacks, and issues in third-party services we consume but do not operate.
Credit
We credit reporters by default. Researchers may request anonymity or a pseudonym. Credit is recorded on the advisory page and in the CSAF document.