VulpineOS
Star on GitHub →
Security · Last updated 9 May 2026

Responsible disclosure.

How to report a security issue in VulpineOS, what we treat as in scope, the safe-harbor language we operate under, and the response windows you can expect.

01

Reporting a security issue

Email security@vulpineos.com. For high-impact issues, use the subject line VULN: short title so we can triage faster. We will acknowledge within 2 business days and follow up with the next steps.

For lower-severity, code-level issues you can also open a private security advisory on the relevant GitHub repository:

02

Scope

In scope:

  • vulpineos.com (marketing site)
  • auth.vulpineos.com (waitlist + login)
  • admin.vulpineos.com (operator console)
  • The VulpineOS, Foxbridge, vulpine-mark, and mobilebridge open-source repositories
  • The Vulpine RenderLab consent + diagnostics flow
03

Out of scope

  • Third-party services we use (Vercel, Supabase, Google) — please report those to the upstream provider directly.
  • Self-hosted instances of the open-source runtime that you operate on your own infrastructure.
  • Reports based purely on best-practice headers (HSTS preload, CSP nonces, SPF / DKIM strictness) without a demonstrable security impact.
  • Volumetric denial-of-service, social engineering of staff, and physical access attempts.
  • Vulnerabilities in versions that are no longer the latest published release.
04

Safe harbor

If you make a good-faith effort to comply with this policy, do not access more data than necessary to demonstrate the issue, do not exfiltrate data, do not publicly disclose the issue before we have had a reasonable chance to fix it, and do not disrupt other users, we will:

  • Not pursue legal action against you for that research.
  • Work with you on disclosure timing and credit.
  • Treat your report as a private security advisory until a fix is shipped and users have had time to update.
05

Response expectations

  • Acknowledgement within 2 business days.
  • Initial assessment within 5 business days.
  • Patch + advisory window targeted at 30 days for high-severity issues, faster where the impact justifies it.
  • Public credit on the advisory if you want it (we are happy to coordinate attribution and CVE assignment via the GitHub Security Advisory flow).
06

Encrypted reporting

For sensitive reports, request a PGP key by emailing security@vulpineos.com with the subject PGP REQUEST. We will share the current public key.