Vulnerability Disclosure Policy
How to report a security issue to us safely, and what we promise in return.
Version 1.0 · effective 18 July 2026
01Reporting
If you believe you have found a security vulnerability in any Obedience service, email hello@obedience.global with the subject "Security report". Include enough detail to reproduce the issue. A machine-readable contact is published at /.well-known/security.txt on each of our domains.
02What we promise
- Acknowledgement within 3 working days
- An assessment and expected timeline within 10 working days
- We will not pursue legal action for good-faith research that respects the rules below
- Credit, if you want it, once the issue is fixed
03Ground rules for good-faith research
- Do not access, modify or exfiltrate data that is not yours: use test accounts
- Do not degrade the service for others (no denial-of-service, no spam)
- Do not run automated scanners against production without asking first
- Give us reasonable time to fix before public disclosure
04Scope and rewards
In scope: obedience.global, obedience.cloud, quantify.obedience.global and their APIs. We do not run a paid bug bounty yet; we say that here so nobody is surprised. That may change as we grow.