> /security-disclosure

Security Disclosure Procedure

This page explains how CHKDSK Labs receives, triages, remediates, and publicly discloses security issues. We prefer coordinated reporting through the portal so researchers have a private thread for questions, follow-up material, and remediation updates.

Submit new findings through the security portal and keep the discussion private until disclosure is coordinated.

How to report

  1. 1. Open a private report through the portal and include technical details that let us reproduce the issue quickly.
  2. 2. We acknowledge the submission, assign a case, and follow up if we need clarification.
  3. 3. Once impact is confirmed, we work on remediation and keep the report thread updated through validation, fix, and release.
  4. 4. After a fix or dependable mitigation is ready, we publish a security disclosure or fix report with the coordinated timeline.

What to include

  • >Affected product, environment, version, or deployment details.
  • >Clear reproduction steps, proof of concept, logs, or screenshots.
  • >Observed impact, expected impact, and any known prerequisites.
  • >A reliable contact method so we can coordinate privately.
$

Response timeline targets

These are operating targets rather than guarantees. Severity, reproducibility, affected systems, and release complexity can change the schedule, but we use the same private thread to communicate any delay.

Within 3 business days

Acknowledgement

We confirm receipt, open a private case, and let you know whether we have enough information to reproduce the issue.

Within 5 business days

Initial triage

We validate impact, assign severity, and share the next investigative step or any clarifying questions.

Every 7 days while active

Status updates

If remediation is still in progress, we provide a progress update at least weekly through the private ticket thread.

Target: 90 days

Remediation and disclosure

Our default goal is coordinated disclosure within 90 days, or sooner when a fix or reliable mitigation is available. If a case needs more time, we will explain why.

Researcher expectations

  • >Avoid intentionally disrupting service, degrading availability, or accessing data that does not belong to you.
  • >Use the minimum testing necessary to prove impact.
  • >Keep the report confidential until we coordinate public disclosure.
  • >Do not use social engineering, phishing, spam, or physical intrusion techniques.

Recognition and rewards

CHKDSK Labs does not currently offer bug bounties, cash awards, or merchandise for vulnerability submissions.

If you would like public credit, we can acknowledge you by name, handle, or organization in the published disclosure or fix report. If you prefer to stay private, we will respect that.