Responsible
Disclosure

At DIGITAL PROTOTYPE LTD, we architect deterministic, high-availability systems. However, we acknowledge that no cryptographic perimeter is mathematically flawless. We highly value the global cybersecurity community and recognize the critical role that ethical hackers and security researchers play in maintaining a secure digital ecosystem.

This Responsible Disclosure Protocol outlines the authorized framework for identifying, testing, and reporting vulnerabilities within our proprietary infrastructure.

We consider security research executed in strict accordance with this protocol to be lawful, authorized, and highly beneficial. If you adhere to these guidelines:

• We will not initiate civil litigation or file criminal charges against you concerning the specific research.
• We will not seek the suspension of your accounts or digital access.
• We will work deterministically with you to understand and rapidly remediate the reported vulnerability.

To maintain safe harbor status, researchers must strictly adhere to the following operational parameters during their audits:

• No Destructive Telemetry: You must not execute Denial of Service (DoS/DDoS) attacks, resource exhaustion, or any action that degrades the performance of our API gateways.
• Data Sovereignty: If you achieve unauthorized access, you must stop immediately. You must not exfiltrate, modify, delete, or monetize any corporate or personal data.
• No Social Engineering: Phishing, vishing, or any form of social engineering directed at our personnel, clients, or supply chain vendors is strictly prohibited.
• No Physical Breaches: Physical access to our data centers, corporate offices, or hardware is categorically out of scope.

The scope of this protocol is strictly limited to infrastructure owned and directly operated by DIGITAL PROTOTYPE LTD.

In-Scope Targets:

• Our primary web architecture: *.digitalprototype.at (or your actual domain).
• Public-facing API endpoints explicitly managed by our engineering team.

Out-of-Scope Targets:

• Client Infrastructure: Any system, database, or network managed on behalf of our enterprise clients is absolutely out of scope. Probing client perimeters will be treated as a hostile breach.
• Third-party SaaS providers, cloud hosting vendors, and CI/CD pipelines not directly maintained by us.

All vulnerability reports must be submitted confidentially. Public disclosure prior to remediation constitutes a breach of this protocol.

Please compile a detailed technical report, including a deterministic Proof of Concept (PoC), HTTP request/response logs, and step-by-step reproduction instructions. Submit the encrypted payload to our security engineering team at:

Email: security123prototype.at
(Note: If the payload contains highly sensitive zero-day exploits, please request our public PGP key prior to transmission to ensure secure transit).

Upon receipt of a valid cryptographic report, we commit to the following Service Level Agreement (SLA):

• Initial Triage: We will acknowledge receipt of your report within 48 business hours.
• Validation: We will confirm the existence of the vulnerability and its severity rating within 7 days.
• Remediation: We will deploy a patch or architectural fix within a timeline commensurate with the vulnerability's severity.

While we do not currently operate a formalized cash Bug Bounty program, we believe in recognizing elite talent. Valid, critical reports may be rewarded with discretionary honorariums, swags, or public inclusion in our Security Hall of Fame, entirely at the Agency's discretion.

Last Compiled and Verified: October 2024 (Version 1.1.0)