Coordinated vulnerability disclosure
Project-AI invites inspection. This page describes how to report a security issue, what is in scope, and what response you can expect.
Email security@thirstysystems.com with reproduction steps and expected vs. observed behavior. PGP key fingerprint and rotation log are published at /keys.
- Acknowledgement: within 72 hours.
- Triage + severity rating: within 7 days.
- Fix or mitigation plan: within 30 days for high/critical.
- Credit (if you want it) on the disclosed advisory.
- The public portal at thirstysystems.com.
- Server functions, RLS policies, auth flows, T&C gate.
- Receipt signing, chain continuity, key handling.
- Published architecture / governance documents (factual integrity).
- Volumetric DoS / DDoS, traffic floods, automated scanning noise.
- Social engineering of the author or third parties.
- Physical attacks against any operator.
- Self-XSS, missing security headers without demonstrable impact.
- Reports generated by automated scanners without manual validation.
Good-faith research conducted under this policy will not be pursued, provided you (a) avoid privacy violations, data destruction, and service degradation, (b) only interact with accounts you own or are explicitly authorized to test, (c) give us reasonable time to remediate before public disclosure, and (d) do not exfiltrate data beyond what is necessary to demonstrate the issue.
Machine-readable contact metadata is published at /.well-known/security.txt per RFC 9116.