Back to Fortis-OS
Security · v1.0
Vulnerability Disclosure Program

Help us keep Fortis-OS safe.

If you believe you have found a security vulnerability in Fortis-OS, we want to hear from you. This page documents what is in scope, how to submit a report, and how we recognise researchers who help.

24 hrs
Initial response
0
Reports triaged
0
Researchers credited
Always
Safe harbor

In scope

  • The Fortis-OS web application and all its subdomains.
  • The desktop environment, window manager, terminal, and integrated tools shipped with the project.
  • Authentication flows, admin routes, and the recon-workspace data layer.
  • Source-code level issues, including:
    • XSS (Cross-Site Scripting)
    • Prototype pollution
    • Unsafe deserialization
    • SSRF (Server-Side Request Forgery) in proxied endpoints

Out of scope

  • Denial-of-service (DoS), volumetric attacks, or stress testing.
  • Findings against third-party services that Fortis-OS calls (e.g., RDAP, Cloudflare DoH, HackerTarget, allorigins, etc.).
  • Self-XSS or clickjacking on pages without sensitive actions.
  • Missing security headers without a demonstrated security impact.
  • Social engineering or physical attacks.
  • RCE (Remote Code Execution) in the terminal Intended behaviour The integrated terminal is designed to execute commands on the host environment. Command execution via the terminal is a deliberate feature, not a vulnerability.

How to report

  1. Email davycypher@gmail.com with the subject line [VDP] Fortis-OS — <short title>.
  2. Include reproduction steps, impact, and any proof-of-concept payloads.
  3. Give us a reasonable window to triage before public disclosure (we aim to acknowledge within 72 hours).
  4. Use the "Submit a report" button above — it pre-fills a structured template.

Safe harbor

We will not pursue legal action against researchers who act in good faith and follow this policy:

  • Report promptly.
  • Do not access or exfiltrate user data beyond what is needed to demonstrate the issue.
  • Do not disrupt services.
  • Give us time to remediate before disclosure.

Activities that violate this policy — or that target users instead of the system — are not covered by safe harbor.

Legal disclaimer

Read before testing

Do not perform penetration testing that crashes the backend, takes down the domain, or disrupts any workflow running inside this OS. That includes — but is not limited to — DoS / volumetric attacks, resource exhaustion, destructive payloads, and any test that degrades service availability for other users.

Fortis-OS is a registered project. Any activity that violates this policy, damages our infrastructure, exposes user data, or harms other researchers may be pursued through legal channels under applicable law. Safe harbor protects good-faith research only — it does not cover destructive or negligent behaviour.

What happens after you report

  1. Step 1
    Received
    We confirm receipt within 72 hours.
  2. Step 2
    Triaged
    We validate impact and assign severity.
  3. Step 3
    Remediated
    We fix and verify the issue is closed.
  4. Step 4
    Credited
    You land in the Hall of Fame (if you wish).

Hall of Fame

0 researchers
No entries yet. Be the first to report a valid vulnerability and you will be credited here.