Vulnerability disclosure card
Public-facing VDP shown on /security. Includes a dedicated security email, the PGP public key + fingerprint, the SLA we commit to for triage and fix, a link to the researcher hall of fame, and explicit in-scope / out-of-scope target lists. Provides safe-harbour language for good-faith research.
Vulnerability disclosure card is a reusable Oak Flats Muffler Men UI primitive with documented states, accessibility expectations, theme behavior, and implementation evidence.
Vulnerability disclosure card: Public-facing VDP shown on /security. Includes a dedicated security email, the PGP public key + fingerprint, the SLA we commit to for triage and fix, a link to the researcher hall of fame, and explicit in-scope / out-of-scope target lists. Provides safe-harbour language for good-faith research.
Report a security issue
We welcome coordinated disclosure from researchers. Submissions are honoured under safe-harbour terms when made in good faith.
- Security contact
- security@mufflermen.com.au
- PGP fingerprint
- 3A12 B45F 9012 3CDE F678 9AB0 CDEF 1234 5678 9AB0
- PGP public key
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEY1ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdef ghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQR STUVWXYZabcdefghijklmnopqrstuvwxyz1234567890ABCD EFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz =AAAA -----END PGP PUBLIC KEY BLOCK-----
In scope
- *.mufflermen.com.au — production web
- api.mufflermen.com.au — public API
- iOS + Android workshop staff apps (current store builds)
- Workshop booking + parts ordering surfaces
Out of scope
- Third-party SaaS (Stripe, Xero, Twilio) — report to vendor
- Volumetric DoS, brute-force, social-engineering staff
- Physical attacks on the Oak Flats workshop premises
- Out-of-date branches not in production