Security Policy

Effective date: 21 April 2026  ·  Version 1.0

Reporting a vulnerability

Please report security vulnerabilities by email to security@ephemera.sh. Do not open a public GitHub issue or discuss the vulnerability publicly until we have had the opportunity to investigate and issue a fix.

We aim to acknowledge reports within 48 hours and to provide an initial assessment within 5 business days. We will keep you informed of progress and notify you before any public disclosure.

What to include

• A clear description of the vulnerability and its potential impact.
• Steps to reproduce - the more detail the better.
• Affected components: API endpoint, dashboard URL, CLI version, or infrastructure layer.
• Any proof-of-concept code, screenshots, or packet captures (please redact personal data).
• Your preferred contact method for follow-up.

Scope

Target	In scope	Notes
ephemera.sh and subdomains	Yes	API, dashboard, waitlist, marketing site
Ephemera CLI (eph)	Yes	All versions; include CLI version in report
Helm chart (charts.ephemera.sh)	Yes	Chart tampering, supply-chain issues
Data plane workers (EU / US regions)	Yes	Analysis pipeline, object storage, retention log
Third-party services (see Subprocessors in /trust)	Out of scope	Report to the respective provider's security team
Social engineering or phishing	Out of scope
Denial-of-service attacks	Out of scope	Load testing requires prior written permission

Safe harbour

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided that:

• You do not access, modify, or delete data belonging to other users.
• You do not perform denial-of-service attacks or degrade service quality.
• You contact us privately before any public disclosure.
• You do not violate any applicable law beyond what is strictly necessary to demonstrate the vulnerability.

Disclosure policy

We follow coordinated disclosure on a 90-day window. From the date a valid report is acknowledged, we aim to release a fix within 90 days. After the 90-day window expires, the researcher is free to publish their findings whether or not a fix has been released, provided they have complied with the safe-harbour conditions above.

If we release a fix before the 90 days have elapsed, we encourage the researcher to coordinate public disclosure with us so that users have a reasonable window to apply the fix, but we do not impose an additional post-fix embargo.

In exceptional circumstances (for example, where a fix requires a protocol-level change beyond our control), we may ask the researcher to agree to an extension. Any such extension is by mutual agreement, not by default.

Contact

Email: security@ephemera.sh
Please include "Security disclosure" in the subject line. For sensitive reports, encrypt with our PGP key (fingerprint D084 763D E34D EE48 56F2  906E A58A 85A4 FACD 4633).

Acknowledgments

We do not currently run a paid bug-bounty programme, but we publicly credit researchers who report valid vulnerabilities under this policy. With your permission, we will list your name (or handle) and the date of the report here.

No reports have been published yet. Reporters who would like to be credited can tell us in their disclosure email.