Responsible disclosure and reporting expectations
InferensLab publishes a minimal public security and disclosure surface so vulnerabilities or exposure risks can be reported without confusing that channel with operational support or commercial routing.
The goal is clarity: what to send, what not to send, where to report, and what kind of acknowledgment to expect.
Disclosure companion files
Disclosure + stability
Security reporting sits next to integrity and change signaling, not apart from them.
/.well-known/security.txt— Canonical disclosure file./.well-known/change-control.json— Published change expectations./.well-known/doctrine-index.json— Integrity surface for public files.
How to report
- Use info@inferenslab.com for responsible disclosure affecting the public surface.
- Reference the impacted URL, file, endpoint, or route.
- Describe the observed issue clearly: exposure, broken boundary, misleading route, integrity mismatch, or security weakness.
What to include
- Precise affected path or URL
- Short reproduction context when relevant
- Observed versus expected behavior
- Any evidence that helps verify the issue without sending sensitive data
What not to send
- No client data, secrets, credentials, or private personal data
- No exploit kits or automated destructive traffic
- No assumptions about unpublished infrastructure or internal systems
What to expect
InferensLab aims for a clear acknowledgment path for good-faith disclosure. Public security surfaces are informational and bounded; they do not imply open access to internal systems, private tooling, or operational support channels.