Responsible disclosure

1. Our commitment

HLD Group welcomes good-faith security research that helps protect our customers and systems. We commit to working with researchers, not pursuing legal action for activities that follow this policy.

2. Scope

In scope:

• *.hldgroup.org properties and publicly documented APIs
• Customer trial environments explicitly labelled for testing
• Open-source repositories officially maintained by HLD

3. Reporting

Send reports to [email protected] with description, steps to reproduce, impact assessment, and proof-of-concept if available. Encrypt with our PGP key where published.

4. Safe harbour

Give us reasonable time (typically 90 days) to remediate before public disclosure. Do not access, modify, or delete customer data. Stop testing when asked.

5. Recognition

We acknowledge valid reports in our hall of fame where researchers consent. Bounties may be offered at our discretion for critical findings.

6. Legal

Activities must comply with applicable law. Researchers must not violate privacy or damage systems.