577 Industries builds systems for missions where being wrong is expensive. We treat security reports the same way we treat our own evidence: seriously, promptly, and with attribution.
- Email: security@577industries.com
- Or use GitHub's Report a vulnerability (private advisory) on the affected repository.
Please include: the repository and commit/release affected, reproduction steps or a proof of concept, and the impact as you understand it. Encrypted mail is fine — ask us for a key in a first plaintext message if you need one.
All public repositories under the 577Industries organization. For anything touching the commercial FORGE OS platform (577industries.com), the same address applies.
| Stage | Our commitment |
|---|---|
| Acknowledgement | Within 3 business days |
| Triage + severity assessment | Within 10 business days |
| Fix or documented mitigation | Target 90 days from acknowledgement; we will tell you if we need longer and why |
| Credit | Public credit in the release notes / advisory unless you ask otherwise |
We ask that you give us the 90-day window before public disclosure, and that you avoid accessing data that isn't yours, degrading service, or pivoting beyond the minimum needed to demonstrate the issue.
Good-faith security research conducted within this policy is authorized. We will not pursue legal action for research that respects the scope and disclosure window above. This safe harbor does not extend to social engineering, physical attacks, or testing systems we do not control.
- Volumetric denial of service
- Findings that require a compromised developer machine or stolen credentials as a precondition
- Reports generated by automated scanners without a demonstrated impact
Some repositories are under active government evaluation (noted in their READMEs). Security reports on them are welcome and handled under this same policy — but fixes may land as advisories first, with code changes batched after the evaluation window, to preserve artifact stability.