Security & disclosure.
How to reach us about vulnerabilities, and what we do once you do.
REPORTING
Email us at security@getpatchrail.com
Plain text, signed or unsigned. We acknowledge every report within one business day. If it's a real vulnerability, expect a fix and a public credit within 30 days.
PGP
Encrypted reports welcome
PGP key fingerprint: 4B7D 3F1E 8A2C 9D6F 5E0A. Full key at /security/patchrail-pgp.asc. Use it if your finding is sensitive.
SCOPE
What's in
getpatchrail.com and its subdomains. The PatchRail Bounty Radar product. The patchrail GitHub org's public repos.
OUT OF SCOPE
What's out
Social engineering. DDoS. Anything that requires a logged-in third-party session you do not own. Findings that depend on a victim opening an attachment.
CREDIT
We say thank you in public
Every accepted report gets a line in our public changelog with your handle, the date, and a one-sentence summary you approve.
Anything else: hello@getpatchrail.com