Responsible security disclosure

We investigate credible reports impacting HostStack-operated endpoints, portals, TLS surfaces, privileged automation, or multi-tenant abuse that could degrade customer confidentiality or availability. Abuse of customer-owned content without a systemic provider defect usually routes through abuse workflows instead.

Preferred channel

Email [email protected] using subject prefix [security]. Optionally attach PCAP redactions and reproduction timing in UTC. Machine-readable pointer file: / .well-known / security.txt (hosted on this site).

What to include

• A concise description & affected URL or component.
• Steps to reproduce and estimated severity (confidentiality / integrity / availability).
• Optional PGP fingerprint if you insist on asymmetric mail — organisational key distribution is roadmap; plaintext mail is acceptable today.

OpenPGP (optional mail encryption)

Organisational encryption keys rotate infrequently—we will publish a fingerprint and armour block on this page alongside / .well-known / security.txt Policy lines once operations finalises quorum access. Until then plaintext mail remains acceptable.

• Researchers comfortable waiting should ask for coordinated key publication acknowledgement in their first disclosure mail.
• Bug bounty remuneration remains out-of-band unless marketed separately elsewhere.

• We aim for a human acknowledgement inside 5 India business days — faster when impact is evidently widespread.
• Please allow coordinated disclosure; avoid active data exfiltration or persistent shells on production.
• This page is procedural guidance—not a bug bounty financial commitment.