Vulnerability Reporting

Responsible disclosure for Haynechi.

A public security reporting path for the static site, contact intake, and trust-discovery surfaces while the governed workspace remains a scoped future app boundary.

Security Intake

Report issues with enough evidence to reproduce safely.

This responsible disclosure path helps confirm impact while keeping private data, service availability, and public-scope boundaries intact.

Trust center

Report PacketEvidence first

Affected surface

Public route, form endpoint, generated asset, header, redirect, or security.txt path.

required

Reproduction steps

Exact request, browser behavior, payload, screenshots, and minimum steps needed to confirm the issue.

required

Observed impact

What data, integrity, availability, or trust boundary could be affected if exploited.

required

Researcher contact

Email or preferred contact method for follow-up and coordinated resolution.

optional

ScopePublic surfaces

Public marketing site

Static HTML, CSS, JS, generated metadata, sitemap, robots.txt, llms.txt, redirects, and headers.

in scope

Contact intake

Cloudflare Pages contact function, validation behavior, honeypot filtering, and webhook forwarding boundaries.

in scope

Security discovery

security.txt, responsible disclosure route, public trust pages, and documented reporting paths.

in scope

Private systems

Customer data, CRM, analytics, email, warehouse, accounts, and third-party systems are out of scope unless explicitly authorized.

out of scope

Triage PathCurrent process

01 Receive report

Acknowledge the submission path and preserve enough detail to reproduce the issue.

02 Triage impact

Classify affected surface, severity, exploitability, and whether customer or prospect data could be involved.

03 Fix or mitigate

Patch static assets, headers, functions, redirects, configuration, or documentation as appropriate.

04 Close loop

Share resolution status with the reporter when contact information is provided and public disclosure is coordinated.

Research BoundariesSafe scope

Non-destructive testing

Reports preserve service availability, data integrity, rate-limit safety, and system boundaries.

Customer data boundary

Testing stops immediately if private, personal, or customer-provided data appears.

Public-scope research

Research stays focused on public routes, generated assets, contact intake, and documented trust-discovery surfaces.

Reporting path status

This page defines a reporting path rather than a paid bounty or guaranteed reward program.

Disclosure Triage Room

Turn each report into an evidence chain, not a vague inbox item.

The public reporting path shows how Haynechi reasons about severity, affected surfaces, mitigation artifacts, and disclosure boundaries while the authenticated workspace remains future-app scope.

Support policy

Severity ModelImpact first

Critical

Public path exposes private, personal, customer-provided, authentication, webhook, or secret material.

urgent

High

Contact intake, headers, redirects, generated assets, or trust-discovery routes can be abused with meaningful impact.

high

Medium

Misconfiguration, broken security expectation, validation weakness, or scoped information disclosure with limited blast radius.

review

Informational

Hardening suggestion, documentation gap, or low-impact issue that improves public security posture.

observe

Evidence ChainReport to fix

Report record

Affected URL, request, payload, browser state, timestamp, researcher contact, and reproduction notes are preserved.

intake

Surface class

Static route, Pages Function, generated file, header, redirect, security.txt, or future-app boundary is labeled.

classify

Impact model

Data, integrity, availability, trust, disclosure, and customer-boundary impact are separated before prioritization.

assess

Fix package

Patch, configuration change, documentation update, monitoring note, and closeout communication are tied to the report.

Control StateCurrent truth

Static surface

Public generated site, headers, redirects, metadata, security.txt, and disclosure route are implemented.

implemented

Contact function

Validation, honeypot filtering, optional webhook forwarding, and local preview fallback are implemented.

implemented

Authenticated app

Workspace auth, roles, audit logs, retention, deletion, and customer-data controls are future-app scope.

future app

Bounty program

Paid bounty, safe-harbor commitment, and guaranteed response SLA remain inactive until formally established.

not active

Triage ArtifactsReview packet

Reproduction packet

Minimal safe steps, expected behavior, observed behavior, request details, screenshots, and affected surface.

Triage note

Severity reasoning, exploitability, data boundary, customer exposure risk, and mitigation owner.

Mitigation record

Code or configuration change, generated asset update, header/redirect adjustment, or documentation correction.

Closeout note

Reporter status, coordinated disclosure posture, unresolved caveats, and public-claim boundaries.

Safe Testing BoundariesPublic scope

Good-faith testing

Reports minimize access, avoid harm, and stop immediately if private or customer data appears.

Public scope only

Testing stays on Haynechi public routes and contact intake unless explicit authorization expands scope.

Ephemeral access

Research avoids shells, account creation, secret exfiltration, data alteration, or maintained access after discovery.

Coordinated disclosure

Public disclosure is coordinated after enough time to validate, mitigate, and communicate responsibly.