Vulnerability Disclosure Policy

We welcome reports of security vulnerabilities in our hosted service, website, and related systems. This policy describes how to report and what to expect from us. We ask that You act in good faith and avoid violating applicable law or harming users.

Send reports to security@directiveops.dev. Include a description of the vulnerability, steps to reproduce, and any proof-of-concept or impact assessment if available. We prefer encrypted communication for sensitive details; we can provide a key on request. Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.

We will acknowledge receipt promptly and will work to validate and address the issue. We will keep You informed of progress where appropriate. We may request additional information. We do not guarantee a bounty or reward unless we have a formal program in place; we do commit to acknowledging researchers who report valid issues in accordance with this policy, if they so agree.

We will not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy, and who do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability. We reserve the right to take action if the researcher violates the law or this policy.

security@directiveops.dev. See the Contact and Legal Notice document for our address.