Objective
Design a lightweight governance framework that formalizes how security concerns are received, acknowledged, and reviewed for a personal research site. The objective is to combine clear legal boundaries, defined communication channels, and a simple human decision flow, while explicitly discouraging active testing, probing, or interaction with live systems.
This framework extends the public Vulnerability Disclosure & Acceptable Use Policy by documenting the internal reasoning and structure behind responsible report handling, without encouraging participation beyond accidental discovery.
Framework Components
1. Contact Channel
A single dedicated reporting alias is used to centralize all inbound disclosures. An automated acknowledgement confirms receipt and reinforces scope limitations, non-authorisation of testing, and expected reporter conduct.
2. Authorization Boundary
Policy language clearly distinguishes accidental discovery from unauthorised activity. The framework enforces a strict “discover only, do not probe” position and explicitly rejects scanning, enumeration, or exploit development under all circumstances.
3. Classification Ladder
A minimal severity banding model (Informational, Minor, Blocking) is used internally to prioritise review effort and learning focus. Classification does not imply validation, remediation commitment, or acceptance of testing activity.
4. Response Expectations
Where applicable and at SyraxOps’ discretion, target acknowledgement is issued within 72 hours of receipt, with a follow-up status update provided within 7 days. All responses remain conditional on scope validation and compliance with policy requirements.
5. Evidence Prompting
Guided prompts encourage reporters to provide clear contextual descriptions of what was observed, without requesting exploit payloads, binaries, or sensitive data. Submissions are limited to non-destructive, text-based descriptions.
6. Recordkeeping
Disclosure metadata and outcomes are recorded in an encrypted internal log for accountability and pattern review. Retention is intentionally limited to minimise unnecessary data collection.
Design & Documentation Decisions
The framework is documented as a Markdown playbook stored alongside the public disclosure policy, separating governance reasoning from public-facing legal text.
Implementation references include:
- Mail rules that label subject lines containing a predefined disclosure prefix for manual review.
- A standard acknowledgement template linking back to the disclosure policy and legal notice.
- A lightweight review template capturing reporter intent, discovery context, and affected surface.
- Guidance for issuing partial or out-of-scope responses when reports lack sufficient detail or fall outside permitted activity.
Although automation is intentionally minimal, documenting these procedures reduces ambiguity and ensures consistency should additional contact surfaces be introduced in the future.
Safeguards
- Unsolicited binaries, exploit samples, or data exfiltration attempts are explicitly rejected.
- Reporters are required to confirm findings were accidental, non-destructive, and obtained without active testing.
- Large or binary attachments are automatically discarded to avoid handling potentially harmful material.
- All correspondence is stored in an encrypted vault with retention limited to 12 months.
Design Observations
- Separating acknowledgement templates from policy text simplifies updates and avoids duplication.
- Lightweight severity banding helps prioritise review effort when multiple submissions arrive close together.
- Documenting review steps early highlights tooling gaps and safe handling requirements before they become operational risks.
Final Note
This framework is governance-focused by design. It does not invite participation, authorise testing, or imply acceptance of unsolicited security activity. Its purpose is to define boundaries, reduce ambiguity, and support responsible communication should accidental disclosures occur.