Security

How to report

Email security@yeil.org. Encrypt with our PGP key if it matters to you. Fingerprint: 3967 AB25 08B8 6DEB 169D E31D 132B B4E9 1E4C 104D. Include:

• A clear description of the issue.
• Steps to reproduce, or a proof of concept.
• Whether you've disclosed it anywhere else.
• How you'd like to be credited (optional).

We'll acknowledge within two business days and aim to ship a fix or a public mitigation within thirty days for most issues, sooner for anything that's actively exploitable.

What's in scope

• yeil.app and every subdomain.
• yeil.org and every subdomain.
• The authoritative DNS at a.ns.yeil.org / b.ns.yeil.org.
• The mail edges at smtp.yeil.org and imap.yeil.org.

What's out of scope

• Third-party services we use (Stripe, Linode, Vultr, AWS); report those to their respective teams.
• Issues that require a stolen device or already-compromised credentials, unless the underlying mechanism is the vulnerability.
• Theoretical reports without a working proof of concept.
• Findings from automated scanners with no manual verification (CVSS scores alone aren't enough).

Rules of engagement

• No destructive testing. Don't modify or delete data that isn't yours. Don't exfiltrate user data beyond what's needed to demonstrate the issue.
• No DoS or load testing. If you can take it down with one weird packet, just tell us; don't prove it by taking it down.
• Use your own accounts. You can sign up a few testing accounts; don't poke at other users'.
• Stay civil. We're a small team; demanding tone shortens our patience faster than the bug shortens our timelines.

Bounties

We don't have a paid bug bounty program yet. We'll list credited researchers on this page once we've had a few reports. If you find something serious, we'll work out a thank-you that feels fair.