Skip to content

Vulnerability reports

Report privately. Disclosure timing is coordinated when a fix is in progress.

Report to

[email protected]
Scope
varinomics.com and its subdomains, and shipped software products (galanthus, Lumis, Phylax).

Include in your report

  1. 01 The affected product and version, where applicable.
  2. 02 Steps to reproduce the issue on a minimal setup.
  3. 03 The observed behaviour and the expected behaviour.
  4. 04 The impact, as far as you can characterise it.

What we ask

  • Report privately before any public disclosure.
  • Coordinate disclosure timing while a fix is in progress.
  • Avoid running tests against live third-party systems (for example, real bank endpoints in galanthus) in ways that could affect other users of those systems.

The machine-readable convention for publishing vulnerability contact metadata is RFC 9116 security.txt.