Skip to main content

Policy

Policy documents define the public boundary of PunchCard Labs activity. They are written for researchers, vendors, clients, and reviewers who need to understand what PCL can coordinate and what it cannot authorize.

The most important distinction is authority. PCL can define its own intake requirements, publication standards, and evidence handling rules. PCL cannot grant permission to test third-party systems unless it owns the asset or has explicit authority from the asset owner. The policy set should make that distinction apparent without relying on dramatic disclaimers in every paragraph.

Disclosure PolicyCoordinated disclosure posture, timelines, and publication expectations.Rules Of EngagementResearcher boundaries, stop conditions, and prohibited activity.ScopeHow PCL distinguishes owned assets, coordination work, and third-party systems.Data HandlingEvidence minimization, retention, redaction, and sensitive-data constraints.Coordinator ModelPCL’s role as a disciplined intermediary between researchers and affected parties.

Interpretation

When policy language appears to conflict, the safer and narrower interpretation controls until a maintainer resolves the conflict. Public convenience never overrides authorization, evidence minimization, or affected-party risk.

Interpretation text should remove ambiguity, not create a second policy. If a reader could infer authorization or commitment from this page, the wording should route them back to the controlling document.

Publication Controls

Policy now distinguishes between activity boundaries and publication boundaries. Scope, RoE, and disclosure policy describe what can be coordinated and how reports should be submitted. Publication boundaries describe what can become public after review. That separation matters because a legitimate finding can still contain details that do not belong in a public record.

Publication BoundariesPublic limits for advisories, reports, examples, tools, and data.ScopePublic boundaries for systems and activity.Rules Of EngagementRequired conduct and stop conditions.