Responsible disclosure

Send vulnerability reports to security@marionette.in. Include enough to reproduce: steps, screenshots, proof-of-concept code, or traffic captures. Request a PGP key at the same address if you need to encrypt.

This policy covers marionette.in and its subdomains, Namewatch, and other internet-facing infrastructure operated by Marionette Consulting.

• Allow reasonable time to investigate and fix before public disclosure.
• Don't access, modify, or delete other users' data.
• Don't test denial-of-service conditions.
• Don't run automated scanning against production at scale without prior written approval.

• Acknowledge reports within 3 business days.
• Provide an initial remediation timeline within 10 business days.
• No legal action against researchers acting in good faith under this policy.
• Public credit on request, once the fix is in place.

• Physical security testing or in-person social engineering.
• Systems not owned or operated by Marionette Consulting.
• Missing security headers without demonstrated impact.
• Reports generated solely by automated tools without manual verification.

In the course of client work, product development, and independent research we sometimes find vulnerabilities in third-party software, hardware, or services. When we do, we follow a coordinated disclosure process.

• Report privately to the affected vendor or maintainer with enough detail to reproduce and fix.
• Allow a 90-day remediation window from initial contact before public disclosure.
• Shorten that window if the vendor is unresponsive, the issue is actively exploited, or user risk is immediate.
• Never sell, trade, or weaponise vulnerabilities outside authorised client work.
• Publish advisories with enough detail for defenders to act.

Vendors coordinating with us on a report we sent should use security@marionette.in.