Skip to content

Security: 577Industries/.github

Security

SECURITY.md

Security Policy

577 Industries builds systems for missions where being wrong is expensive. We treat security reports the same way we treat our own evidence: seriously, promptly, and with attribution.

Reporting a vulnerability

Please include: the repository and commit/release affected, reproduction steps or a proof of concept, and the impact as you understand it. Encrypted mail is fine — ask us for a key in a first plaintext message if you need one.

Scope

All public repositories under the 577Industries organization. For anything touching the commercial FORGE OS platform (577industries.com), the same address applies.

What to expect (coordinated disclosure)

Stage Our commitment
Acknowledgement Within 3 business days
Triage + severity assessment Within 10 business days
Fix or documented mitigation Target 90 days from acknowledgement; we will tell you if we need longer and why
Credit Public credit in the release notes / advisory unless you ask otherwise

We ask that you give us the 90-day window before public disclosure, and that you avoid accessing data that isn't yours, degrading service, or pivoting beyond the minimum needed to demonstrate the issue.

Safe harbor

Good-faith security research conducted within this policy is authorized. We will not pursue legal action for research that respects the scope and disclosure window above. This safe harbor does not extend to social engineering, physical attacks, or testing systems we do not control.

Out of scope

  • Volumetric denial of service
  • Findings that require a compromised developer machine or stolen credentials as a precondition
  • Reports generated by automated scanners without a demonstrated impact

Evaluation-frozen repositories

Some repositories are under active government evaluation (noted in their READMEs). Security reports on them are welcome and handled under this same policy — but fixes may land as advisories first, with code changes batched after the evaluation window, to preserve artifact stability.

There aren't any published security advisories