🛡️ Security Contact & Responsible Disclosure
We value the security community and welcome responsible disclosure of vulnerabilities. This page contains our contact information, reporting guidelines, and safe harbor policy.
Secure Contact Methods
Security Email
Response within 24h
PGP Public Key
Submit a Report
Disclosure Guidelines
- Provide a clear, step-by-step reproduction path
- Specify affected components, endpoints, or services
- Include relevant screenshots, logs, or PoC code
- Do not access or modify user data during testing
- Avoid automated scanning without prior coordination
- Use test accounts only; never target production user accounts
Scope
✓ In Scope
- • git.dev & *.git.dev domains
- • API endpoints & authentication flows
- • CI/CD pipeline components
- • Developer dashboard & CLI tools
✗ Out of Scope
- • Social engineering / phishing
- • DDoS or availability attacks
- • Third-party integrations
- • Public marketing websites
Response Process
We follow a structured workflow to ensure vulnerabilities are triaged, fixed, and disclosed responsibly.
Receive
Report logged & encrypted. Initial acknowledgment sent within 24h.
Triage
Security team validates impact, severity, and reproduction steps.
Remediate
Engineering deploys fix. Timeline shared based on severity.
Disclose
Coordinated public disclosure with researcher credit upon request.
Safe Harbor
🔒 Legal Protection for Researchers
.git will not initiate legal action, issue takedown requests, or pursue civil liability against researchers who report vulnerabilities in good faith and comply with our disclosure guidelines. We welcome ethical security research and encourage responsible disclosure. By submitting a report, you acknowledge that you will not exploit vulnerabilities, distribute findings publicly before resolution, or harm our users or infrastructure.