Responsible Disclosure

Report public-site security issues carefully.

Spiral Sentinel Labs welcomes responsible disclosure for public web surfaces operated by the lab.

Please keep testing bounded to public pages, static assets, headers, DNS, TLS, and other openly routed surfaces.

Contact

Use the security inbox.

Send public web-surface vulnerability reports to security@spiralsentinel.com.

Report Format

Make the issue reproducible.

Please include the affected URL or domain, a clear description, reproduction steps, expected versus actual behavior, browser or tool versions when useful, and any screenshots or request examples that help verify the issue.

Allowed Scope

Public surfaces only.

Appropriate reports include issues with public static pages, response headers, DNS, TLS, DANE/TLSA, security.txt, robots.txt, and other public-facing configuration. Avoid automated high-volume scanning against the VPS.

Do Not Attempt

No private-system access.

Do not attempt to access private systems, local devices, protected routes, credentials, non-public APIs, administrative panels, or hardware-bound S1M4X systems. The VPS is a public beacon and static host, not the private core.

Good Faith

Keep testing safe.

Do not exfiltrate data, persist access, bypass authentication, degrade service, or run destructive tests. If a proof of concept is needed, keep it minimal and stop once the vulnerability is demonstrated.

Policy Route

Security and privacy stay linked.

The current privacy policy is published at /privacy/. The signed security.txt file points researchers to the responsible disclosure route.