Hi, I’m _NULL. Pentester by day, curious by night. The longer version is in the hello world post.
If you want to get in touch, here’s how.
The name
There’s a generative AI “artist” using the same handle. We’re not related.
Disclosure policy
If you’re a vendor and you’re reading this, this applies to you.
I make reasonable attempts to reach your security contacts before the clock starts. I expect confirmation within 7 days. No response means I escalate to platform vendors or CERT/CC.
You get 120 days to patch. I expect updates at least every 30 days. Going silent doesn’t stop the clock. If I find evidence of exploitation in the wild, I escalate more aggressively and may shorten the deadline. I won’t publish details that help attackers narrow down the attack surface. Users come first.
Full details go up once a patch is available. I coordinate timing with the vendor to avoid weekends and holidays, and I publish on business days. If the 120 days expire without a patch, details go out regardless.
If you think this should work differently, tell me.