If you believe you’ve found a security issue in anything we operate — yetisecurity.cz, verify.yetisecurity.cz, our public tooling repos, or any service we host — please tell us. We will not pursue legal action against researchers acting in good faith under this policy.
In scope
- yetisecurity.cz and all its subdomains
- verify.yetisecurity.cz attestation service
- Public repositories under github.com/yeti-security/*
- Any artifact we explicitly publish (PGP keys, public reports, downloadable tooling)
Out of scope
- Customer environments — even ones we’ve recently tested. Those belong to the customer; please report to them directly.
- Findings that depend on physical access, social engineering of staff, or rate-limiting/DoS.
- Reports generated by automated scanners with no manual validation.
How to report
Email: [email protected] — encrypted
with our PGP key if the material is sensitive. Fingerprint
4F2A 1B7C 9E3D 8B41 6F02; full key at yetisecurity.cz/pgp.txt.
Please include:
- Steps to reproduce
- Impact (what does this let an attacker do?)
- Optional: a suggested fix or mitigation
- Your name and how you’d like to be credited (or to remain anonymous)
What you can expect
- Acknowledgement within one business day
- Triage and severity assessment within five business days
- A fix or written rationale within thirty days for High/Critical findings
- Public credit in our disclosure log, if you wish — and a thank-you gift for findings that materially improve our security posture
Safe harbour
So long as you:
- Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Only interact with accounts you own or have explicit permission to access
- Report findings promptly through the channel above
…we will not initiate or support legal action against you for your research, including under the Computer Fraud and Abuse Act, DMCA anti-circumvention, or any equivalent local statute.
Bounty
We don’t run a paid bug-bounty program. We do send a hand-written postcard and a small Yeti.Security care package (sticker, patch, occasional t-shirt) for findings we act on. Researchers who find critical issues get listed in our hall of fame — with your consent.