Security · Report a finding
Five steps to report a finding.
We accept reports through a single channel — a signed GitHub issue. This page is the protocol, not a form. A signed issue is timestamped, public, and queryable. A form on a static site cannot offer any of that.
Protocol The five-step ladder
Each step is one short task. Work through them in order — top to bottom.
-
Open a GitHub issue
Use the disclosure template. The label and signing fields are added by the template. The issue is the audit log we both rely on.
-
Sign the body
One of the following is required. We cannot bind credit or payout to an identity without a signature.
- PGP-signed body — paste an ASCII-armored signed message into the issue.
- Signed commit — link a signed commit whose message contains the issue text.
- SSH-signed — produced by
ssh-keygen -Y sign -n codingagentbench-bounty -f ~/.ssh/id_ed25519 disclosure.txt.
-
Describe the finding in prose
Tell us what to look at, what to expect, and what you observed. If a reproducer requires runnable code, host the reproducer in your own repo and link to it. We run it in our private re-audit environment and capture the delta. We do not mirror, fork, or re-host reproducers.
-
Walk the pre-submission checklist
Six small checks. Saves a round-trip on triage.
- I have a written description of the finding. No runnable code in the issue body.
- I have a signing key (PGP, signed commit, or ssh-keygen -Y sign) ready to attach.
- I have listed the affected cells: TUI image tag, model id, task id.
- I have checked the fix log to confirm this finding is not already published.
- I have read the severity rubric and have a self-assessed tier.
- If a reproducer needs code, it lives in my own repo and I am linking to it.
-
We respond, you get credit
Acknowledgement within 2 business days, triage verdict within 5. Accepted findings land as a fix. Writeup and credit are published.
Note Why no form on this site
A static site is the wrong place to receive a security disclosure. Forms imply persistence we do not have, and a form behind a CDN cannot enforce signing. The GitHub issue tracker gives us a signed, timestamped, public audit log — and forces the conversation into writing where both parties can be quoted later.
Refs Further reading
- docs/exploit-bounty.md Program rules, payout tiers, response SLA.
- docs/exploit-rubric.md Severity scoring with worked examples.
- The fix log Catalogue of accepted findings and the fixes that closed them.
- Researcher credits Handles for accepted findings. No PII.