binautopsy · 0x00400420confidentialv24.04 · sha 9f4e…a2c1pgp 0x783E 8C5A
LIVE · incident intake operational pgp 5421 993B … EAB8 0385 lat EU-SW · 42ms tz UTC+01 · AD
uptime 99.98% queue 3 active · 2 pending last note · 2026-04-26
← /

Responsible disclosure

Binautopsy Labs welcomes good-faith reports of vulnerabilities affecting binautopsy.com and any Binautopsy-operated infrastructure.

Scope

  • binautopsy.com and subdomains
  • Binautopsy-operated mail, VPN, file-exchange, and analyst infrastructure
  • Custom Binautopsy code published under the binautopsy-labs namespace

Out of scope

  • Third-party systems or services (report to the affected vendor)
  • Client artefacts or client systems analysed under engagement
  • Generic findings such as missing security headers without a demonstrated impact
  • Reports that require physical access to Binautopsy premises
  • Denial-of-service findings against production systems

Safe harbour (good-faith research)

If you make a good-faith effort to comply with this policy during your security research, we will treat your research as authorised, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly. Good-faith research means: reporting through the channels below, not exfiltrating data beyond what is needed to demonstrate the vulnerability, not degrading services, and giving us reasonable time to remediate before disclosure.

How to report

Email security@binautopsy.com with subject prefix BA-DISCLOSURE. Sensitive details should be encrypted to our PGP key (fingerprint 5421 993B 5145 A156 5263 22A0 783E 8C5A EAB8 0385).

What to include

  • A clear description of the vulnerability
  • Affected URL, parameter, or component
  • Reproduction steps
  • Observed impact and your assessment of severity
  • Any proof-of-concept material — minimal, only what is needed to demonstrate the issue
  • Whether you intend to disclose publicly, and on what timeline

Expected response

Acknowledgementwithin 2 business days
Initial triage & severitywithin 5 business days
Remediation timelinecommunicated after triage; typical: 30 days for high, 90 days for medium
Public creditoffered to reporters who request it after fix is shipped

What not to do

  • Do not exfiltrate data beyond what is required to demonstrate the issue
  • Do not degrade or interrupt service
  • Do not access, modify, or delete data belonging to other parties
  • Do not run automated scanners against production without prior coordination
  • Do not publicly disclose before remediation unless we have failed to respond within the timeframes above

Coordinated disclosure

We follow a coordinated disclosure model. We aim to ship a fix and credit reporters before any public write-up. If we cannot ship a fix within an agreed window, we will discuss timelines and any necessary mitigations openly.