Security & disclosure.
How to reach us about vulnerabilities, and what we do once you do.
REPORTING
Email us at security@getpatchrail.com
Plain text, signed or unsigned. We acknowledge every report within one business day. If it's a real vulnerability, expect a fix and a public credit within 30 days.
SENSITIVE FINDINGS
Encrypted handoff on request
If your finding is sensitive, email security@getpatchrail.com first and we will arrange an encrypted channel before you send any details.
SCOPE
What's in
getpatchrail.com and its subdomains. The PatchRail Bounty Radar product. The patchrail GitHub org's public repos.
OUT OF SCOPE
What's out
Social engineering. DDoS. Anything that requires a logged-in third-party session you do not own. Findings that depend on a victim opening an attachment.
CREDIT
We say thank you in public
Every accepted report gets a line in our public changelog with your handle, the date, and a one-sentence summary you approve.
Anything else: hello@getpatchrail.com