Security Policy
Responsible Disclosure
We welcome responsible security disclosures and work to triage reported issues quickly and transparently.
How to report
Share vulnerability details, reproduction steps, impact assessment, and any proof-of-concept in a private report.
security@fendix.dev
Policy highlights
- Do not run destructive tests against systems without explicit permission.
- Do not publicly disclose issues before coordinated remediation.
- Credentials and sensitive data should be redacted in shared reports.
- Active probes should only be enabled with authorized scope.
Fendix security scans are designed to be safe by default. Active/destructive probes are opt-in.