Security / Disclosure

Purpose

This policy defines the conditions under which external research may occur against public Prime 88 surfaces. It is a boundary instrument. Alignment precedes action. Authorization follows alignment.

Authorized Scope

Research is limited to designated public surfaces. Out of scope includes vendor infrastructure, third-party integrations, internal environments, and human operators.

• Confirm presence. Do not expand surface area.
• Observe structure. Do not alter system state.
• Demonstrate proof. Do not establish persistence.
• Report immediately. Do not mistake delay for leverage.

Prohibited Activity

• Denial-of-service, resource exhaustion, or traffic amplification testing
• Social engineering, impersonation, or deceptive interaction with operators or users
• Physical intrusion, environmental probing, or facility-based testing
• Persistence mechanisms, privilege escalation, lateral movement, or command-line establishment
• Automated enumeration or scanning that measurably degrades availability or system posture
• Alteration, retention, replication, redistribution, or destruction of data in any form

Exposure of nonpublic data ends testing.

Reporting

Valid disclosures should contain structural location, mechanism of exposure, reproducible steps, and defined impact boundaries.

Signal outweighs volume. Low-quality or automated submissions may be disregarded.

Response Posture

Where contact information is provided, acknowledgement may occur within three business days. Validation and remediation posture may be communicated when appropriate.

Identity is not shared without consent.

Disclosure Window

Public disclosure is paused while remediation stabilizes. Default guidance is 90 calendar days from acknowledgement.

Boundaries

Authorization under this policy is conditional, limited, and revocable. Nothing within this policy grants license, ownership, access rights, or continued privilege beyond explicitly defined surfaces.