Security & disclosure

We welcome good-faith reports. Our work runs inside customer environments; we don’t expose customer data or runtime surfaces. This page explains how to report issues responsibly.

How to report

• Email: security@echoclonelabs.com
• Security.txt: /.well-known/security.txt
• PGP: public key (optional)

What to include

• Clear description, affected URL or file path, and minimal reproducible steps
• Expected vs. actual behavior, and any proof-of-concept
• Your contact details for coordinated follow-up

Scope

• In scope: echoclonelabs.com static site and public assets
• Out of scope: any third-party services, customer environments, or non-production sandboxes

Safe harbor (good-faith)

We won’t initiate legal action against researchers who: (a) report issues to us promptly, (b) make a good-faith effort to avoid privacy violations, service disruption, or access to data beyond what’s necessary to demonstrate the issue, and (c) give us a reasonable time to remediate before public disclosure.

Do not

• No DDoS, spam, or social engineering
• No ransomware, data exfiltration, or persistence
• No automated scanning that impacts availability

Acknowledgments

We’re happy to thank contributors here (opt-in). Send the display name you prefer.

Our response

We aim to acknowledge within 3 business days and provide status updates until closure. We don’t run a public bug bounty; this is a vulnerability disclosure channel.

Last updated: 30 Sep 2025 • This page follows common VDP guidance (e.g., OWASP VDP Cheat Sheet; safe-harbor patterns popularized by disclose.io).