Enquiries & responsible disclosure
Start the right conversation with the minimum sensitive detail.
Assessment enquiries and vulnerability disclosures need different handling, but both begin the same way: establish identity, confirm the purpose, and agree on a suitable private channel before sharing sensitive material.
Do not include exploit code, credentials, personal data, or unpatched technical details until a suitable private channel is confirmed.
Assessment enquiries · 01
Tell me what needs assessed.
The first exchange is for fit and scope—not credentials, target access, source code, or the start of testing.
Start with a professional identity.
LinkedIn is the primary initial channel for assessment and consulting enquiries. Ask to establish a private scoping channel before sharing target-specific information.
Start an assessment enquiry opens LinkedIn in a new tabUseful first-message context
- Your name, organization, and role
- The assessment track you are considering
- A high-level asset type and approximate scope
- Whether the environment is staging or production
- The desired outcome, timing, and time zone
- Who owns or can authorize the assets
Do not send URLs, IP addresses, credentials, source code, vulnerability evidence, or personal data in the first message.
Public identity · 02
Verify identity and continue safely.
These links establish identity; they are not substitutes for an encrypted disclosure channel.
Best for professional enquiries, collaboration, and establishing an initial private channel.
opens in a new tabGitHubBest for open-source project context and maintainer-visible technical discussion that is already safe to make public.
opens in a new tabXA secondary identity-verification and initial-contact channel. Do not send sensitive evidence in public replies.
opens in a new tabDisclosure expectations · 03
Evidence with restraint.
- Confirm the target and authorization context.
- Share the minimum evidence needed to establish impact.
- Avoid real-user data, persistence, service disruption, and public exposure.
- Agree on a private channel and coordinated publication timeline.
Initiate disclosure safely
Use LinkedIn only to request a private disclosure channel. Do not send vulnerability evidence or unpatched detail until that channel is confirmed.
Request a private channel opens LinkedIn in a new tab