Vulnerability Disclosure Policy

Purpose

SHLORBT Cloud is committed to advancing system-level software security through responsible research and coordinated vulnerability disclosure. This policy outlines how security findings may be reported to us, how such reports are handled, and the principles that guide our disclosure process.

The objective of this policy is to enable constructive collaboration, reduce systemic risk, and ensure that security issues are addressed in a manner that is lawful, ethical, and technically rigorous.

Scope

This policy applies to security findings related to:

• Publicly distributed software, compiled binaries, firmware, and system-level components
• Open-source projects and widely deployed software within our research focus
• Research artifacts, tools, or datasets explicitly designated by SHLORBT Cloud as in scope

This policy does not apply to:

• Client-specific systems or proprietary software assessed under contractual agreements
• Live production systems without explicit authorization
• Social engineering, denial-of-service testing, or physical security testing

Client engagements and confidential assessments are governed by separate, private disclosure processes defined contractually.

Research Focus

SHLORBT Cloud’s research emphasis lies in low-level and system-adjacent software domains, including operating system components, firmware, compiled binaries, runtimes, and execution integrity mechanisms.

Reports aligned with this focus are prioritized. Generic web application issues or high-level configuration findings may fall outside the scope of this policy.

Reporting a Vulnerability

Security findings may be reported via email to:

security@shlorbt.cloud

When submitting a report, researchers are encouraged to include sufficient technical detail to allow reproduction and verification. This may include affected components, execution context, version information, and any relevant analysis or proof-of-concept material.

All reports should be submitted in good faith and without exploitation beyond what is necessary to demonstrate the issue.

Coordinated Disclosure Process

Upon receiving a report, SHLORBT Cloud will:

1. Acknowledge receipt within a reasonable timeframe.
2. Conduct an internal technical review to assess validity and impact.
3. Where appropriate, coordinate with affected vendors, maintainers, or stakeholders.
4. Work toward remediation or mitigation prior to public disclosure.

Public disclosure, including advisory publication or CVE assignment, is conducted in a coordinated manner with relevant parties wherever possible.

Disclosure Timeline

SHLORBT Cloud aims to balance transparency with responsible handling. Disclosure timelines may vary based on severity, complexity, and coordination requirements.

In general, reasonable time will be provided for remediation before public disclosure. Exceptions may apply where risk to users is imminent or where coordination is not feasible.

Recognition and Attribution

SHLORBT Cloud does not operate a bug bounty or monetary reward program.

Attribution or acknowledgment may be provided at our discretion for responsible reports that result in validated findings or advisories. Recognition is not guaranteed and may be withheld where confidentiality or legal considerations apply.

Legal and Ethical Conduct

Researchers submitting reports under this policy are expected to:

• Comply with applicable laws and regulations
• Avoid accessing or modifying data beyond what is necessary for validation
• Refrain from disrupting services or impacting users
• Respect privacy and data protection requirements

SHLORBT Cloud will not pursue legal action against researchers who act in good faith, adhere to this policy, and report findings responsibly.

Export and Regulatory Considerations

Certain research findings, technical details, or artifacts may be subject to export control or regulatory requirements. SHLORBT Cloud reserves the right to limit dissemination of sensitive details in accordance with applicable laws.

Changes to This Policy

This policy may be updated periodically to reflect changes in our research scope, regulatory environment, or operational practices. The most current version will always be published on this site.

Contact

For questions related to this policy or responsible disclosure, please contact:

security@shlorbt.cloud