research disclosure policy

coordinated disclosure for 1seal research.

policy governing reports submitted by 1seal to vendors, maintainers, and coordinators.

version: 2.0 effective: 4 April 2026 scope: research disclosure and publication

1. scope

this policy governs vulnerability reports submitted by 1seal (Oleh Konko) to upstream maintainers, vendors, and coordinating bodies. it applies to all reports identified with an F-* reference or submitted through GitHub Security Advisory (GHSA), vendor security contact, or equivalent private channel.

for vulnerabilities in 1seal-operated systems, use the 1seal systems security policy.

2. coordinated disclosure

all reports follow coordinated vulnerability disclosure (CVD) by default. 1seal does not publish vulnerability details unilaterally while a coordinated process is active and progressing.

public statements by 1seal are limited to information that is independently and publicly confirmable at the time of the statement, including published commits, merged pull requests, tagged releases, public advisories, and CVE/GHSA records.

3. attribution

1seal expects public attribution in any advisory, changelog, release note, commit message, or other public record associated with a reported issue. the expected credit format is:

reported by Oleh Konko (@1seal)

attribution is independent of any financial compensation, bounty, or non-disclosure agreement. declining a bounty or nda does not waive the expectation of public credit.

if the vendor intends not to provide attribution, 1seal requests written confirmation of that decision.

4. response timeline

1seal expects an initial substantive response within 14 calendar days of report submission. a substantive response is one that acknowledges receipt and provides a triage determination or a timeline for one.

if no substantive response is received within 30 calendar days, 1seal reserves the right to seek third-party coordination as described in section 6.

5. silent fix

if a public code change correlating temporally and structurally to the reported issue appears without acknowledgment of the report, 1seal will seek written confirmation of the relationship between the report and the fix, and will request attribution through available channels.

the existence of a public fix without acknowledgment does not, by itself, terminate the coordinated disclosure process. the process concludes when the vendor provides written disposition, or when third-party coordination produces one.

6. escalation

if direct communication with the vendor does not produce a disposition within a reasonable timeframe, 1seal may pursue the following escalation path:

  1. direct follow-up to the vendor, referencing the original report and requesting written status confirmation
  2. CERT/CC VINCE referral for third-party coordination when the vendor is unresponsive or when the report disposition is disputed
  3. MITRE CNA-of-last-resort for CVE assignment when the vendor CNA is unresponsive and a CVE is warranted

at each stage, 1seal does not publish vulnerability details beyond what is publicly confirmable. escalation is a coordination mechanism, not a disclosure threat.

7. duplicate determinations

if a report is determined to be a duplicate of an earlier submission, 1seal may request written confirmation that the duplicate determination was based on a prior report that:

  • was received before the 1seal submission
  • covered the same root cause
  • addressed the same affected component and exploit path

if confidentiality prevents identification of the prior report, 1seal requests confirmation that the determination was independently validated.

8. what this policy does not cover

  • legal advice or legal obligations beyond professional norms
  • automatic public disclosure timelines
  • financial compensation, bounties, or reward programs governed by vendor-specific terms
  • information obtained through means other than good-faith security research

9. good faith

all research conducted under this policy is performed in good faith, with the intent to improve the security of the affected software.

  • 1seal does not access, exfiltrate, or retain user data
  • 1seal does not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • 1seal does not demand compensation as a condition for coordinated disclosure

10. contact

changelog

version date changes
1.0 2026-03-27 initial policy: coordinated disclosure by default; public statements limited to publicly confirmable information
2.0 2026-04-04 added attribution expectation, 14/30-day response timeline, silent-fix clause, escalation path with CERT/CC VINCE and MITRE CNA-of-last-resort, duplicate-determination process, scope exclusions, and good-faith statement. restructured from informal statement to numbered sections.
contact research back to research 1seal systems policy