Responsible Disclosure
We welcome reports of security vulnerabilities and commit to working with researchers in good faith under a coordinated-disclosure model. Our posture is authorized-only and ANCS-aligned: we ask researchers to hold to the same standard we hold ourselves to on every engagement.
Last updated: 29 June 2026
Security contact
Report security issues to security@tunicyberlabs.com. Include enough detail and clear steps to reproduce so we can validate the issue quickly. If a finding is sensitive, ask us and we will arrange an encrypted channel before you share details.
Coordinated disclosure
We operate coordinated disclosure, defaulting to private. We will acknowledge your report, keep you updated on our progress, and agree a disclosure timeline with you. Please give us a reasonable opportunity to investigate and remediate before any public disclosure.
Scope and rules of engagement
Authorized-only is the foundation of how we work, and we ask the same of you:
- ▸Only test assets you are explicitly authorized to test
- ▸Do not access, modify, or exfiltrate data that isn't yours
- ▸Avoid actions that degrade service or affect availability
- ▸Stop and report as soon as you confirm a vulnerability — do not pivot further
- ▸Do not use social engineering, physical attacks, or denial-of-service techniques
Our commitment
For good-faith research that follows this policy, we will not pursue legal action and will treat you as a partner in keeping systems safe. We are happy to credit researchers who report valid issues, where they wish to be named.
ANCS-aligned posture
Our disclosure practice is consistent with our broader authorized-only, ANCS-aligned framing. We will, where appropriate and lawful, coordinate with the relevant national authorities and affected parties to ensure issues are handled responsibly.
