Loading
Loading
Security
A direct channel for security researchers who find a vulnerability in any cantarell.energy surface or subsidiary asset.
Report a vulnerability
Email security@cantarell.energy with the details below. If the issue is sensitive, request our PGP key in your first message and we will reply with one.
What to include
Clear reproduction steps move things fastest. The more we can verify on first read, the faster we can triage and fix.
01
The specific URL, API endpoint, or subsidiary asset where the issue reproduces.
02
A numbered list of the exact steps to trigger the issue. Screenshots or a short video help.
03
What an attacker could do with this: data access, privilege escalation, account takeover, service disruption.
04
Which browser, OS, or platform reproduces. Whether the issue reproduces in production versus staging.
05
How you want us to reach you. Preferred name for attribution if the fix is disclosed publicly.
Our commitments
01 · Acknowledgment
A real person acknowledges the report within three business days and tells you who owns the triage.
02 · Triage
We classify the severity using industry-standard rubrics and share an ETA for remediation appropriate to the class.
03 · Disclosure
We coordinate public disclosure with the reporter. If the fix is material, we credit researchers who wish to be credited.
04 · No lawyers
We will not pursue legal action against researchers acting in good faith within the scope below.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action related to your research.
If a third party initiates legal action against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with our policy.
Acting in good faith means: you do not intentionally harm Cantarell, its subsidiaries, its users, or third parties; you do not exfiltrate beyond what is necessary to prove the vulnerability; you do not publicly disclose the issue before a coordinated resolution.
Scope
In scope
Out of scope