████████████████████████████████ ██ SECURITY PROTOCOL ██ ██ Classification: Active ██ ████████████████████████████████ If you discover a security vulnerability in Opus Delta's public-facing systems, do not open a public issue.
Contact us directly:
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information
| Severity | Acknowledgment | Resolution Target |
|---|---|---|
█ Critical | 24 hours | 72 hours |
▓ High | 48 hours | 1 week |
▒ Medium | 72 hours | 2 weeks |
░ Low | 1 week | Next release |
The following are in scope:
- opusdelta.io — the live system
- API endpoints accessible from the public interface
- Client-side code served to the browser
The following are out of scope:
- Third-party services (Cloudflare, GitHub, Claude API)
- Social engineering or phishing attempts
- Denial of service attacks
- Automated scanning without prior authorization
We practice responsible disclosure. We will:
- Acknowledge your report promptly
- Work with you to understand the issue
- Credit you (if desired) once the vulnerability is resolved
- Never take legal action against good-faith security researchers
The system protects itself. But it respects those who test its boundaries.