Vulnerability Disclosure Policy

Purpose

SHLORBT Research Labs is committed to advancing system-level software security through responsible research and coordinated vulnerability disclosure. This policy outlines how security findings may be reported to us, how such reports are handled, and the principles that guide our disclosure process.

The objective of this policy is to enable constructive collaboration, reduce systemic risk, and ensure that security issues are addressed in a manner that is lawful, ethical, and technically rigorous.

Scope

This policy applies to security findings related to:

• Publicly distributed software, compiled binaries, firmware, and system-level components
• Open-source projects and widely deployed software within our research focus
• Research artifacts, tools, or datasets explicitly designated by SHLORBT Research Labs as in scope

This policy does not apply to:

• Client-specific systems or proprietary software assessed under contractual agreements
• Live production systems without explicit authorization
• Social engineering, denial-of-service testing, or physical security testing

Client engagements and confidential assessments are governed by separate, private disclosure processes defined contractually.

Research Focus

SHLORBT Research Labs’s research emphasis lies in low-level and system-adjacent software domains, including operating system components, firmware, compiled binaries, runtimes, and execution integrity mechanisms.

Reports aligned with this focus are prioritized. Generic web application issues or high-level configuration findings may fall outside the scope of this policy.

Reporting a Vulnerability

Security findings may be reported via email to:

security@shlorbt.cloud

When submitting a report, researchers are encouraged to include sufficient technical detail to allow reproduction and verification. This may include affected components, execution context, version information, and any relevant analysis or proof-of-concept material.

All reports should be submitted in good faith and without exploitation beyond what is necessary to demonstrate the issue.

Coordinated Disclosure Process

Upon receiving a report, SHLORBT Research Labs will:

1. Acknowledge receipt within 3 Business days of submission.
2. Conduct an internal technical review to assess validity and impact within 5-7 business days.
3. Where appropriate, coordinate with affected vendors, maintainers, or stakeholders.
4. Work toward remediation or mitigation prior to public disclosure.

Public disclosure, including advisory publication or CVE assignment, is conducted in a coordinated manner with relevant parties wherever possible.

Vulnerability Disclosure Timeline

SHLORBT Research Labs adheres to the principles of Coordinated Vulnerability Disclosure (CVD). Our goal is to balance public transparency with the time required for effective remediation.

1. Standard Window: Public disclosure will typically occur 90 days after the initial vendor notification.
2. Extensions: SHLORBT may grant extensions on a case-by-case basis, factoring in the severity of the flaw, technical complexity, and the vendor’s progress toward a patch.
3. Exceptions: We reserve the right to accelerate disclosure if a vulnerability is being actively exploited in the wild or if the risk to the public is deemed imminent.

Safe Harbor

SHLORBT Research Labs considers security research conducted in good faith and in accordance with this policy to be authorized.

We will not pursue legal action against researchers who:

• Follow this policy
• Avoid privacy violations
• Avoid service disruption
• Provide us reasonable time to remediate

Recognition and Attribution

SHLORBT Research Labs does not operate a bug bounty or monetary reward program.

Attribution or acknowledgment may be provided at our discretion for responsible reports that result in validated findings or advisories. Recognition is not guaranteed and may be withheld where confidentiality or legal considerations apply.

Legal and Ethical Conduct

Researchers submitting reports under this policy are expected to:

• Comply with applicable laws and regulations
• Avoid accessing or modifying data beyond what is necessary for validation
• Refrain from disrupting services or impacting users
• Respect privacy and data protection requirements

SHLORBT Research Labs will not pursue legal action against researchers who act in good faith, adhere to this policy, and report findings responsibly.

Export and Regulatory Considerations

Certain research findings, technical details, or artifacts may be subject to export control or regulatory requirements. SHLORBT Research Labs reserves the right to limit dissemination of sensitive details in accordance with applicable laws.

Changes to This Policy

This policy may be updated periodically to reflect changes in our research scope, regulatory environment, or operational practices. The most current version will always be published on this site.

Contact

For questions related to this policy or responsible disclosure, please contact:

security@shlorbt.cloud