Pyun is an open source project focused on building modern, secure, and reliable software experiences for developers and users.

We take security seriously and greatly appreciate responsible disclosure from security researchers, contributors, and the community.

We ask all security researchers to:

• Act in good faith to avoid privacy violations, data destruction, service disruption, or unauthorized access;
• Research only within the scope described in this policy;
• Provide clear, reproducible reports with concise proof-of-concept information when possible;
• Keep vulnerability details confidential until the issue has been resolved and publicly disclosed by the Pyun team; and
• Avoid exploiting vulnerabilities beyond what is necessary to demonstrate impact.

If you follow these guidelines, we commit to:

• Treat your research as authorized under this policy;
• Work with you to validate and resolve issues as quickly as possible;
• Acknowledge receipt of reports within 72 hours whenever possible; and
• Maintain transparent communication throughout the remediation process.

When reporting vulnerabilities responsibly, you can expect us to:

• Review and validate your report in a timely manner;
• Work to remediate legitimate vulnerabilities as quickly as reasonably possible;
• Keep you informed about remediation progress when appropriate; and
• Credit responsible researchers who are first to report a unique and valid security issue that results in a fix or security improvement.

The following categories are generally considered in scope:

• Remote Code Execution (RCE)
• Authentication bypass vulnerabilities
• Privilege escalation
• Sensitive data exposure
• Arbitrary file read/write vulnerabilities
• Injection vulnerabilities
• Server-side request forgery (SSRF)
• Security issues affecting user confidentiality or integrity
• Dependency vulnerabilities that materially impact Pyun users

This scope includes:

• Core Pyun applications and services
• Official repositories and packages
• Official APIs and infrastructure
• First-party integrations and maintained extensions

We also welcome reports involving third-party dependencies when they directly affect the security of Pyun users or infrastructure. When appropriate, please also report dependency-specific vulnerabilities to the upstream maintainers.

The following are generally considered out of scope:

• Missing security headers without demonstrated exploitability
• Rate limiting or brute-force concerns without meaningful impact
• UI/UX issues, visual bugs, or spelling mistakes
• Self-XSS requiring unrealistic user interaction
• Vulnerabilities requiring physical access to a device
• Reports generated solely from automated scanners without manual validation
• Denial-of-service attacks requiring excessive traffic or infrastructure abuse
• Social engineering, phishing, or attacks against Pyun staff or contributors
• Vulnerabilities in unsupported or outdated third-party software
• Issues requiring users to intentionally disable security protections

To help distinguish legitimate security research from malicious activity, we ask that you:

• Follow this policy and all applicable laws;
• Report vulnerabilities promptly after discovery;
• Avoid accessing, modifying, or deleting data that does not belong to you;
• Avoid actions that negatively impact service availability or user experience;
• Use only official communication channels for vulnerability disclosure;
• Test only against systems that are clearly in scope;
• Avoid automated scanning or aggressive traffic generation against production infrastructure; and
• Never attempt extortion or demand payment in exchange for disclosure.

We support responsible disclosure and coordinated remediation.

Please do not publicly disclose vulnerabilities until:

• The issue has been resolved; or
• The Pyun team has confirmed public disclosure is appropriate.

We generally aim to resolve valid vulnerabilities within 90–120 days depending on severity and complexity.

When conducting security research in compliance with this policy, Pyun considers your activities to be:

• Authorized under applicable anti-hacking and computer misuse laws;
• Conducted in good faith and intended to improve overall ecosystem security;
• Exempt from restrictions that would otherwise interfere with legitimate security research under this policy; and
• Protected from legal action by Pyun for accidental, good-faith violations of this policy.

This safe harbor applies only to research conducted in accordance with this policy and does not excuse violations of applicable law or malicious behavior.

If a third party initiates legal action against you for activities conducted in compliance with this policy, Pyun will take reasonable steps to clarify that your actions were authorized and performed in good faith.

If you are uncertain whether your research is consistent with this policy, contact us through an official security channel before proceeding further.

Please include the following information when submitting a report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Proof-of-concept code or screenshots if applicable
• Affected versions or environments
• Suggested remediation if available

Pyun currently does not operate a public bug bounty program.

All reports are submitted voluntarily and in the interest of responsible disclosure and improving ecosystem security. Requests for payment in exchange for disclosure, withholding vulnerability details pending compensation, or extortion attempts are not welcome.

We still deeply appreciate responsible disclosure efforts and contributions from the security community.