StealthByte Labs · Responsible Disclosure

01Scope

This policy covers three classes of finding:

Vulnerabilities in our own infrastructure — anything reachable at stealthbytelabs.com, our subdomains, our developer-facing services, or the Obsidian agent platform itself. If you found one, jump to §04 reporting.
Vulnerabilities discovered during engagements in a client environment — handled per the engagement contract and §02 below.
Vulnerabilities discovered in third-party software during research or during engagements — coordinated with the affected vendor per §03 below.

// safe harbor

If you are a security researcher acting in good faith under this policy, we will not pursue civil or criminal action against you, and we will not request that law enforcement do so. The detailed conditions for good-faith research are in §05.

02Findings during client engagements

During every engagement, our operators may discover vulnerabilities that fall outside the client's own software — in vendor products, third-party libraries, hosted services, or open-source components. Our handling of these is governed by the engagement contract and by the principles below.

What we do

The client is notified immediately, with full technical detail and a private mitigation guide.
The affected vendor is contacted via their coordinated disclosure channel within 5 business days of the client notification.
Public disclosure follows industry-standard 90-day windows from vendor notification, extendable by mutual agreement when patch development reasonably requires it.
The vendor receives a complete technical writeup, proof-of-concept, and proposed CVSS scoring.
The client environment is the first priority for mitigation, before any other affected user.

What we will not do

We will not sell vulnerability information to brokers, governments, or any third party.
We will not retain weaponized exploit code beyond the disclosure window.
We will not publish identifying detail about the affected client without explicit written permission.
We will not coordinate with parties that conduct offensive operations against unwilling targets.

// commitment

Every operator at the lab signs an internal version of this policy as a condition of employment. We have refused two acquisition offers in part because the acquirer's disclosure practices were incompatible with these commitments.

03Coordinated disclosure timeline

For vulnerabilities we report to third-party vendors, this is the timeline we follow. Days are calendar days unless otherwise noted.

DAY 0

Vendor notification We send a full technical report — proof of concept, affected versions, suggested CVSS — via the vendor's published security contact (security.txt, PSIRT, or HackerOne where available). We request an acknowledgment within 5 business days.

DAY 5

Acknowledgment expected If we have heard nothing, we send a follow-up to a second channel. If we have still heard nothing by day 14, we escalate to CERT/CC or the relevant national CERT.

DAY 14

Engagement window By this point we expect to be in regular technical correspondence with the vendor's security team. We share additional artifacts, answer reproduction questions, and discuss CVSS scoring jointly.

DAY 45

Mid-window review We check in on patch progress. If the vendor needs an extension beyond day 90, we request a written explanation and target patch date. Extensions are granted in good faith — typically once.

DAY 90

Public disclosure By day 90, the vendor has typically shipped a patch and a CVE has been assigned. We publish a writeup on the /intel feed with full technical detail. If the patch is in active deployment and broad disclosure would cause harm, we will delay technical detail by mutual agreement.

DAY 90+

If patch is not available If 90 days have elapsed and no patch has shipped, we publish an advisory containing: affected products, observable indicators, mitigation guidance, and severity assessment — but we withhold weaponized PoC until a patch is available or until further delay would itself cause greater harm. This is a judgment call we make publicly and document in the advisory.

04Reporting a vulnerability to us

If you have discovered a vulnerability in our own infrastructure — the website, the Obsidian agent platform, our developer tooling, or anything else we operate — we want to hear from you. We treat researchers reporting in good faith as collaborators, not threats.

What's in scope

stealthbytelabs.com and all subdomains we operate
The Obsidian agent platform and its API endpoints
Our internal authentication, identity, and code-signing infrastructure
Any open-source code we publish under the stealthbyte-labs organization

What's out of scope

Findings that require physical access to our offices or our staff's devices
Issues in third-party services we use (Stripe, Cloudflare, etc.) — please report those directly to the affected vendor
Social engineering attempts against our staff (we run our own internal tests for this)
Volumetric DoS, password-spraying campaigns, and other noise-generation

How to send it

Email security@stealthbytelabs.com, encrypted with the PGP key below. Include reproduction steps, affected versions or endpoints, and any artifacts that would help us verify. If you can't use PGP for some reason, the contact form at /contact works for initial coordination; we'll move to encrypted channels for the technical detail.

PGP fingerprint (full key available at /.well-known/security.asc):

7F3A 8B2D 1184 4C92 · A6D5 E081 B73F 22CF

05Safe harbor for good-faith research

Research that meets all of the conditions below is research we will treat as authorized under this policy:

You operate within the scope defined in §04 above.
You do not access, modify, or delete data belonging to anyone other than yourself or accounts you control.
You make a good-faith effort to avoid privacy violations, service disruption, and data destruction.
You report the finding to us promptly, give us reasonable time to remediate, and do not disclose to third parties before our agreed disclosure window.
You do not exploit the vulnerability beyond what is necessary to demonstrate it.
You do not use the research for extortion, brokerage, or any form of unauthorized commercial gain.

Research conducted under these conditions: we will not initiate civil or criminal action, will not request law enforcement involvement, and will publicly thank you in the advisory if you wish to be credited.

// limits

Safe harbor does not extend to: extortion, data theft for resale, lateral expansion beyond the affected system, social engineering of staff, or research designed to harm our users. We will respond to those activities under all available legal options.

06Recognition

We do not run a paid bug bounty program. We do maintain a public acknowledgment list on the intel feed for researchers who report verified findings in good faith, with the researcher's preferred name and affiliation (or anonymously, if requested).

For high-severity findings that require significant research effort, we may also offer one of: a swag package, a discretionary cash payment from our research budget, or — for researchers who'd find it more valuable — a co-authorship on the resulting writeup.

This is not a substitute for a paid program; we know that. If structured bounty payments are important to you, please consider whether reporting here is the right fit. We will still treat your report with the diligence and respect a paid program would.

07Changes to this policy

This policy is reviewed at least once per year and any time material changes are warranted. The version history is maintained in our public repository at github.com/stealthbyte-labs/policy. Researchers are bound by the version of this policy that was in effect at the time their research was conducted.

Material changes — anything that affects scope, safe harbor, or disclosure timelines — are announced on the intel feed at least 30 days before taking effect.

08Authority

This policy is signed off by the operator leadership of the lab and applies to every engagement, every researcher, and every member of staff. Internal signatures are maintained in our PKI. Questions about authority or scope can be directed to security@stealthbytelabs.com.

End of policy. Last reviewed 2026-04-21. Questions: security@stealthbytelabs.com.

Responsible disclosure.