Security

Vulnerability disclosure policy.

Argand is pre-launch and built by one person. If you've found a security issue, here is exactly how to reach me and what to expect.

Reporting

Email nic@argand.org. PGP-encrypted reports are welcome and encouraged for anything sensitive — the public key is at /.well-known/pgp-key.txt (fingerprint 78CB 8742 6797 8D42 9847 B989 DC17 2983 F4C7 1CAB). The machine-readable version of this policy lives at /.well-known/security.txt.

Please include enough detail to reproduce: affected URL or component, steps, and impact.

Scope

In scope:

  • argand.org and its subdomains.
  • This pre-launch site and the same-origin waitlist endpoint.

Out of scope for now:

  • The search engine and microservices, which are not yet publicly available.
  • Findings that require physical access, social engineering, or denial of service.
  • Reports generated solely by automated scanners without a demonstrated impact.

What to expect

  • Acknowledgement of your report as soon as I can — this is a one-person project, so please allow a few days.
  • A good-faith effort to validate and fix confirmed issues promptly.
  • Credit if you'd like it, once a fix has shipped.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, I will consider your testing authorized, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue quickly. Good faith means: don't access or modify data that isn't yours, don't degrade the service for others, and give me a reasonable chance to fix things before public disclosure.

Bug bounty

There is no paid bounty during the pre-launch phase. A public bug bounty program will open with the public launch of the search engine.

Related: privacy & identity · warrant canary