How to report
Email security@cia.dev with enough detail for us to reproduce the issue:
- The affected URL, endpoint, or component;
- A clear description and step-by-step reproduction;
- Proof-of-concept (request/response, screenshot, or short video) where helpful;
- The potential impact as you see it.
Scope
This policy covers cia.dev and other internet-facing systems operated by CIA Development, LLC. If you're unsure whether something is in scope, ask first.
Our commitments
- We will acknowledge your report within 3 business days.
- We will keep you updated as we investigate and remediate.
- We will credit you for the discovery if you'd like (and you may remain anonymous).
- We do not currently run a paid bug-bounty program; reports are accepted on a good-faith basis.
Safe harbor
We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. We consider such research to be authorized conduct. If legal action is initiated by a third party against you for activity consistent with this policy, we will make this authorization known.
Rules of engagement
To stay within safe harbor, please:
- Only test against accounts and data that belong to you;
- Avoid privacy violations, data destruction or exfiltration, and service degradation;
- Do not run denial-of-service tests, send spam, or use social engineering or physical attacks;
- Give us a reasonable time to remediate before any public disclosure, and coordinate timing with us.
Out of scope
Reports that generally don't qualify include: missing security headers without a demonstrated exploit, rate-limiting or best-practice suggestions, automated scanner output without validation, and social-engineering or physical findings.
A machine-readable version of this contact is published as a security.txt file (RFC 9116).