Security / vulnerability disclosure
Find the flaw. Protect the people.
Good-faith research makes systems safer. This policy explains what may be tested, what must remain untouched, and how to begin a responsible disclosure.
Philosophy
Security improves when useful reports have a clear route.
If you discover a vulnerability affecting this site, responsible disclosure is welcome. The goal is to understand the issue, reduce harm, and create enough space to correct it before technical details are made public.
Safe harbor
Good-faith research within these boundaries is authorized.
I will not initiate legal action against researchers for security testing performed in good faith and consistent with this policy. If a report reveals activity outside these boundaries, context and intent will be considered before any response.
Testing boundaries
Research must avoid harm, persistence, and unnecessary access.
- Do not access, modify, retain, or delete data that does not belong to you.
- Do not compromise another person’s privacy, safety, account, or session.
- Do not perform denial-of-service, traffic flooding, or resource-exhaustion testing.
- Do not use phishing, social engineering, credential attacks, or physical intrusion.
- Do not establish persistence, pivot to another system, or continue after impact is proven.
- Do not publicly disclose the issue before there has been a reasonable opportunity to respond.
Scope
The boundary is intentionally narrow.
In scope
nat.ioand subdomains directly operated as part of this site.
Out of scope
- Third-party platforms, hosting providers, CDNs, identity providers, and embedded services.
- Issues that require access to another person’s device, browser profile, or account.
- Automated reports without evidence of an exploitable security impact.
Please report third-party issues directly to the organization that operates the affected service.
Reporting
Begin with a minimal notice.
The on-site form is currently offline. Use the security contact route to send a brief initial notice through LinkedIn and request a safer channel for technical evidence.
Once a secure route is agreed, a useful report normally includes:
- A concise description of the vulnerability and its likely impact.
- Reproduction steps using the minimum access and data required.
- A proof of concept, screenshots, or logs with secrets and personal data removed.
- Any remediation idea or relevant environmental detail you already have.
Reports will be acknowledged and updates shared as soon as practical.
Open the security contact route ↗