Responsible Disclosure Policy
How to report a security issue in Forge NC infrastructure, the Forge CLI, the external runner, or the verification protocol.
Report to: security@forge-nc.dev
Acknowledgement SLA: within 5 business days
Machine-readable contact: /.well-known/security.txt
Scope
The following are in scope for security reports:
- The forge-nc.dev web application, dashboard, admin panel, and API subdomain (
api.forge-nc.dev)
- The Forge CLI (Python package published on PyPI as
forge-nc)
- The external runner Docker image (published on GHCR)
- The Forge Certified Audit protocol, signature scheme, and verification logic
- Any
/.well-known/ artifact or documented endpoint
Out of Scope
- Third-party service vendor infrastructure (RunPod, Cloudflare, Stripe, HuggingFace, GitHub, Discord) — report those to the respective vendor
- Social engineering attacks or physical security
- Denial-of-service tests against production without prior written authorization
- Findings that require root access to an already-compromised host
- Reports of models producing harmful outputs (the purpose of Forge is to measure this; please open a GitHub issue instead)
What to Include
- A clear description of the vulnerability
- Steps to reproduce
- Affected component (web, CLI, protocol, etc.) and version if known
- Potential impact
- Do NOT include working exploit code in the initial message. We'll request proof-of-concept through a secure channel after acknowledgement.
Our Commitments
- Acknowledge receipt within 5 business days
- Provide an assessment and expected remediation timeline within 14 business days
- Notify the reporter when the issue is resolved
- Coordinate public disclosure jointly, not before the fix is available
- Not pursue legal action against good-faith researchers who follow this policy
Safe Harbor
Forge NC will not pursue civil or criminal action against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, and disruption of service
- Only interact with accounts you own or have explicit written permission to test
- Do not exfiltrate data beyond the minimum necessary to demonstrate the issue
- Report the issue promptly and allow reasonable time for remediation before public disclosure
Bug Bounty
Forge NC does not currently operate a paid bug bounty program. Good-faith reports are sincerely appreciated. We may introduce a bounty program in the future; when we do, it will be announced on this page and in the newsroom.
Updates
This policy was last updated 2026-06-17. Material changes will be announced at /news.