Vulnerability Disclosure
Program Directive
Blankline Security invites researchers to identify vulnerabilities in our infrastructure. We operate a "Safe Harbor" program: researchers acting in good faith and adhering to this policy are authorized to test our systems and will not face legal action.
Safe Harbor Status: Authorization is granted to access data only for the purpose of demonstrating a vulnerability. Do not exfiltrate data.
Target Scope
The following assets are explicitly in-scope for this program. Any asset not listed here is out of scope.
Recognition Protocol
As a research institute, we currently prioritize infrastructure integrity over monetary compensation. However, we believe in honoring those who help secure the frontier. Successful submissions are rewarded with public attribution and reputation verification.
Examples: RCE, SQLi, Authentication Bypass, Model Weight Exfiltration.
- ✓ Permanent listing on Security Hall of Fame
- ✓ Physical "Founding Security Partner" Challenge Coin
- ✓ Letter of Attestation from the Founder
Examples: IDOR, Stored XSS, Privilege Escalation.
- ✓ Listing on 2025 Security Researchers List
- ✓ Exclusive Blankline Research T-Shirt
- ✓ LinkedIn Recommendation
Rules of Engagement
Do not destroy data. If you encounter PII, stop immediately and report the finding. Do not dump the database.
No Social Engineering. Attacks targeting Blankline employees (phishing, vishing) are strictly out of scope.
Automated Scans. High-volume automated scanning is prohibited on production endpoints. Use the staging environment.
Cryptographic Identity
For critical vulnerabilities, encrypt your report using our PGP key. Reports containing PII must be encrypted.