Coordinated Disclosure Policy
GreySurface is my independent security research practice. I identify security weaknesses in software products and report them privately to the affected vendor so they can be fixed before they cause harm.
How I work
- I report findings privately and directly to the vendor first.
- I allow 90 days from first contact for a fix before I publish any write-up. This window is flexible: if you need more time, or the timeline doesn't suit you, tell me and I'll adjust it.
- I never publish exploit code or any detail that would let someone attack an unpatched system, and I redact all third-party or customer data.
- I test only to the minimum needed to confirm an issue. I don't bulk-extract data, modify records, or disrupt service.
- Any contribution for my work is entirely voluntary and is never a condition of disclosure.
If you've received a report from me and would prefer a different timeline, or have any questions, contact nick@greysurface.co.uk.