Skip to main content

Publication Boundaries

Publication boundaries define what the site will not publish even when the underlying work is legitimate. They are distinct from research authorization. This page does not authorize testing, scanning, exploitation, or access to any system; only the responsible system owner can authorize activity against that system. Authorization determines whether an activity may occur. Publication boundaries determine what can become public after that activity produces evidence, analysis, or tooling.

The default public posture is conservative. A public page should contain enough information for defenders, researchers, or affected parties to understand the record. It should not contain unnecessary exploit steps, private evidence, credentials, personal data, live secrets, or vendor-sensitive material that does not materially improve defensive understanding.

Public Material

The following material is suitable for public publication after review: affected product names and versions, high-level impact summaries, remediation guidance, stable identifiers, timelines, sanitized reproduction summaries, schema definitions, aggregate metrics, local tool documentation, and synthetic examples. When a page includes uncertainty, it should state the uncertainty directly rather than filling the gap with confident language.

Restricted Material

The following material requires removal or private handling before publication: credentials, session tokens, private keys, non-public customer data, production logs that identify uninvolved parties, exact exploit chains that materially increase abuse risk, persistence steps, bypass payload collections, unpatched sensitive vendor details, and any evidence obtained outside the handling boundary.

Review Decision

A publication reviewer should be able to point to the defensive value of each technical detail. If a detail supports remediation, detection, validation, or accurate severity assessment, it may belong in public form after redaction. If a detail primarily improves unauthorized reproduction, it belongs in the private record or should be summarized at a safer level.