Help us keep Fortis-OS safe.
If you believe you have found a security vulnerability in Fortis-OS, we want to hear from you. This page documents what is in scope, how to submit a report, and how we recognise researchers who help.
In scope
- The Fortis-OS web application and all its subdomains.
- The desktop environment, window manager, terminal, and integrated tools shipped with the project.
- Authentication flows, admin routes, and the recon-workspace data layer.
- Source-code level issues, including:
- XSS (Cross-Site Scripting)
- Prototype pollution
- Unsafe deserialization
- SSRF (Server-Side Request Forgery) in proxied endpoints
Out of scope
- Denial-of-service (DoS), volumetric attacks, or stress testing.
- Findings against third-party services that Fortis-OS calls (e.g., RDAP, Cloudflare DoH, HackerTarget, allorigins, etc.).
- Self-XSS or clickjacking on pages without sensitive actions.
- Missing security headers without a demonstrated security impact.
- Social engineering or physical attacks.
- RCE (Remote Code Execution) in the terminal — Intended behaviour The integrated terminal is designed to execute commands on the host environment. Command execution via the terminal is a deliberate feature, not a vulnerability.
How to report
- Email davycypher@gmail.com with the subject line
[VDP] Fortis-OS — <short title>. - Include reproduction steps, impact, and any proof-of-concept payloads.
- Give us a reasonable window to triage before public disclosure (we aim to acknowledge within 72 hours).
- Use the "Submit a report" button above — it pre-fills a structured template.
Safe harbor
We will not pursue legal action against researchers who act in good faith and follow this policy:
- Report promptly.
- Do not access or exfiltrate user data beyond what is needed to demonstrate the issue.
- Do not disrupt services.
- Give us time to remediate before disclosure.
Activities that violate this policy — or that target users instead of the system — are not covered by safe harbor.
Legal disclaimer
Read before testingDo not perform penetration testing that crashes the backend, takes down the domain, or disrupts any workflow running inside this OS. That includes — but is not limited to — DoS / volumetric attacks, resource exhaustion, destructive payloads, and any test that degrades service availability for other users.
Fortis-OS is a registered project. Any activity that violates this policy, damages our infrastructure, exposes user data, or harms other researchers may be pursued through legal channels under applicable law. Safe harbor protects good-faith research only — it does not cover destructive or negligent behaviour.
What happens after you report
- Step 1ReceivedWe confirm receipt within 72 hours.
- Step 2TriagedWe validate impact and assign severity.
- Step 3RemediatedWe fix and verify the issue is closed.
- Step 4CreditedYou land in the Hall of Fame (if you wish).