Responsible Disclosure Policy

1. Our Commitment

We recognize the invaluable contribution of the cybersecurity community in keeping the internet safe. When you report a vulnerability to us, we commit to taking every report seriously, investigating your findings thoroughly, and maintaining an open line of communication throughout the process. We are truly grateful for your time and effort in helping us stay secure.

2. Scope

This policy applies to all internet-facing services and systems provided under the following domain:

• *.royalsnek.com

Note: Third-party services or integrations not directly operated by RoyalSnek are excluded from this scope.

3. Submission Channels & Response

If you believe you have discovered a security vulnerability, please report it through one of the following channels:

• Email: security@royalsnek.com
• Support: Submit a dedicated security support ticket through our portal.

We respect your time and aim to provide an initial response and evaluation of your report within 5 to 14 business days of reception.

Secure Communication (PGP)

For sensitive findings, we encourage encrypting your report using our PGP key:

Fingerprint: 4E6B 12A9 88C3 00F1 77B2  D4E5 99A1 0B22 1234 ABCD
Key ID: 0x1234ABCD

4. Report Requirements

To help our team validate the issue efficiently, your report must include clear and concise details. While a Proof of Concept (PoC) is not mandatory for the initial filing, it is highly recommended to help us understand the impact faster.

5. Mandatory Embargo

By submitting a report, you agree to a mandatory embargo period to ensure our users remain protected. Public disclosure is prohibited until:

• 90 days from the date a RSIG team member has personally received and acknowledged the report, OR
• Until a formal patch has been released by our team.

6. Report Evaluation & Rejection

While we investigate every submission, RoyalSnek reserves the right to reject reports that do not meet our criteria. A report may be rejected for reasons including, but not limited to:

• Insufficient Detail: The report lacks the information necessary to understand the vulnerability.
• Inability to Reproduce: Our team is unable to verify the issue based on the provided steps.
• Scope Conflict: The vulnerability exists in a third-party service or integration not directly operated by RoyalSnek.

In the event of a rejection, we will inform you as soon as possible and provide the specific reasoning behind our decision. Please note that RoyalSnek does not re-evaluate reports once a final rejection has been issued.

7. Compensation & Recognition

As a gesture of our appreciation for your voluntary work, we want to ensure you receive proper credit for your contributions:

• Voluntary Basis: All reports are made voluntarily. RSIG does not offer bug bounties or monetary rewards.
• First-to-Report: We only award credit to the first researcher to report a specific, verifiable vulnerability.
• Credit: If accepted, your name or pseudonym will be officially credited in the relevant patch notes to acknowledge your help.

8. Safe Harbor

RoyalSnek will not initiate legal action against researchers who report vulnerabilities in good faith. If we find that a report was filed without malicious intent and solely for the purpose of improving our security, we consider your research to be authorized. We want you to feel safe helping us, provided you adhere to the ethics and guidelines outlined in this policy.

9. Changes to this Policy

We reserve the right to modify this policy at any time by publishing a revised version on this page. Vulnerabilities disclosed prior to any update will remain subject to the policy version in effect at the time of the report.