Forge Security

Responsible Disclosure

Vulnerability Disclosure Policy

Forge welcomes good-faith vulnerability reports that help protect customers, systems, and data. This policy defines the safe path for reporting and coordinated disclosure.

Scope

Reports are welcome for publicly reachable Forge Orbital systems and customer-authorized deployments where testing is explicitly permitted by both the customer and Forge.

Do not test third-party systems, customer systems, employee accounts, vendor systems, or non-public Forge environments unless written authorization covers that exact target.

Allowed Research

  • Non-destructive testing that does not degrade service.
  • Low-volume validation of a suspected vulnerability.
  • Findings involving authentication, authorization, data exposure, injection, cryptographic misuse, or configuration weaknesses.

Prohibited Activity

  • Denial-of-service, load testing, spam, phishing, social engineering, or physical attacks.
  • Exfiltration, modification, deletion, or retention of data beyond minimal proof.
  • Public disclosure before Forge has had a reasonable opportunity to investigate and remediate.

Report Contents

  • Affected URL, endpoint, version, or artifact.
  • Clear reproduction steps and observed impact.
  • Minimal screenshots, logs, payloads, or request IDs needed to validate the issue.
  • Your preferred name, organization, and disclosure-credit preference.

Forge Response Process

  • Acknowledgment target: 24 business hours.
  • Initial triage target: three business days.
  • Severity model: CVSS v3.1 baseline, adjusted for exploitability and customer impact.
  • Disclosure target: coordinated public disclosure after remediation, typically within 90 days for confirmed vulnerabilities.

Safe Harbor

Forge will not pursue legal action for good-faith research conducted within this policy, reported promptly, and performed without privacy violation, data destruction, service degradation, extortion, or unauthorized persistence.

Researchers who report valid vulnerabilities responsibly may be listed on the Forge Security Hall of Fame unless they prefer to remain anonymous. Forge does not currently operate a paid bug bounty program.