PatchRail

Security & disclosure.

How to reach us about vulnerabilities, and what we do once you do.

REPORTING

Email us at security@getpatchrail.com

Plain text, signed or unsigned. We acknowledge every report within one business day. If it's a real vulnerability, expect a fix and a public credit within 30 days.

SENSITIVE FINDINGS

Encrypted handoff on request

If your finding is sensitive, email security@getpatchrail.com first and we will arrange an encrypted channel before you send any details.

SCOPE

What's in

getpatchrail.com and its subdomains. The PatchRail Bounty Radar product. The patchrail GitHub org's public repos.

OUT OF SCOPE

What's out

Social engineering. DDoS. Anything that requires a logged-in third-party session you do not own. Findings that depend on a victim opening an attachment.

CREDIT

We say thank you in public

Every accepted report gets a line in our public changelog with your handle, the date, and a one-sentence summary you approve.

Anything else: hello@getpatchrail.com