The office · Security
Responsible disclosure.
Orphograph welcomes security research conducted in good faith. This page describes how to report a vulnerability, what the office considers in scope, and how researchers are credited.
Contact
Send reports to [email protected]. PGP is not currently required; if your report is sensitive enough to warrant encryption, indicate that in the first message and an arrangement will be made.
The machine-readable advisory for this policy is published at /.well-known/security.txt per RFC 9116.
Disclosure timeline
The office observes a 90-day standard window between report receipt and public disclosure. The timeline runs as follows:
- Day 0. Report received. An acknowledgment is sent within three business days.
- Day 1 to 14. Triage and reproduction. The office confirms severity and proposes a remediation path.
- Day 14 to 90. Remediation, regression testing, and deploy. Researchers are kept informed at material milestones.
- Day 90. Standard maximum embargo. Extension beyond 90 days is rare and is negotiated with the reporter in writing.
Disclosure earlier than 90 days is appropriate where a fix has shipped and the reporter consents to publication. Disclosure later than 90 days is appropriate only where a deployed fix is not yet possible and continued embargo is genuinely safer than publication.
In scope
- The
orphograph.comweb application and any subdomain operated by the office. - The anchoring pipeline — receipt issuance, OpenTimestamps aggregation, calendar handling, and the receipt-vault storage layer.
- Receipt verification — both the server-side verifier and the standalone client-side verifier shipped under MIT.
- Authentication and session handling, including the magic-link flow.
- Billing and payment flows administered directly by the office.
Out of scope
The following are explicitly out of scope. Reports against these surfaces should be sent directly to the operator of the service in question.
- Third-party transactional-email infrastructure used to deliver magic-link and receipt emails.
- Third-party hosting infrastructure on which the office runs.
- Third-party DNS and edge providers fronting the public domain.
- Bitcoin nodes, OpenTimestamps calendar servers operated by third parties, and the Bitcoin network itself.
- Findings that require physical access to a customer device or social engineering of office staff.
- Volumetric denial-of-service findings without a novel amplification or asymmetry argument.
- Theoretical cryptographic weaknesses in SHA-256 or SHA-512 absent a working demonstration.
Safe harbor
Research conducted under this policy — non-destructive testing, no exfiltration of customer data, no service degradation, and timely reporting — is considered authorized. The office will not pursue legal action against researchers who act in good faith and within the scope defined above. Activity that disrupts service, reads or modifies data belonging to other customers, or persists beyond what is required to demonstrate the finding falls outside safe harbor.
Bounty
The office does not operate a paid bounty program at this time. Reporters of valid findings are credited publicly in the Acknowledgments section below, unless the reporter requests otherwise.
Acknowledgments
Researchers who have responsibly disclosed verified findings will be listed here, with their consent.