Services

We provide the following services:

  • Vulnerability Disclosure Relay (Free)
  • Vulnerability Disclosure Hosting (Free)
  • Network Security Audit (TBD)
  • Systems Security Audit (TBD)
  • Consulting (TBD)

We currently only operate in the US in the PST timezone (GMT-8).

To contact us, please send an email to:
echo Y29udGFjdEB2aWR5YXNlYy5vcmcgDQo== | base64 -d

Disclosure Relay

If you want to send a vulnerability disclosure to a party, but are concerned about retaliation on your account or in real life, we can help you by acting as a go-between. We will not disclose your name, address, phone number, or account name to the part(y|ies) in question, unless directed to.

When sending a request of this type, please provide:

  • Type of disclosure (private, or coordinated)
    • Private: No public disclosure, ever. This allows things to done quieter, but gives scummier companies a chance to sweep things under the rug.
    • Full: Immediate public disclosure (dangerous, irresponsible)
    • Coordinated: Work with the developers in question to patch the issue, then publicly disclose when fixed. or when they take too long. (See disclosure policy.) Preferred.
  • Type of vulnerability (see CWE)
  • The game, library, software, or hardware in question (“product”)
  • The company or individual who should receive the disclosure
  • The vulnerable version(s) of the product
  • As much information about the vulnerability as possible
  • If possible, the simplest working non-damaging exploit code (crashes are fine, viruses are not)
  • If you cannot figure out exploit code, but have a client, trainer, etc binary, attach it in a passworded archive file.
    • Remember to give us the password.
    • Anything that can be opened with 7-zip is accepted.
    • Do NOT send raw executables without wrapping them in a ZIP first.
  • Contact information so we can keep in touch. This will not be shared unless we get a court order (highly unlikely unless you do something extremely stupid), or you tell us to.

Disclosure Hosting

If you wish to have your vulnerability publically disclosed, we can help you publish it on this blog, on our Twitter, and (if safe to do so) on GitHub and GitLab. We will also assign it a case number similar to a CVE (GVID-YYYY-####).

Please provide us the information above, as well as how much about yourself you wish to have disclosed alongside the exploit.