Security
Responsible disclosure & our own security posture.
A security firm that does not publish its own policy is not a security firm. Here is how to reach us if you have found something, and how we handle the other side of the table.
Reporting a vulnerability
If you have discovered a security issue in memcyber.com or in any asset we host publicly, please email security@memcyber.com.
Include:
- A description of the issue and the affected asset
- Steps to reproduce, ideally with a proof-of-concept
- Your assessment of the impact
We will acknowledge within one business day, triage within three, and work with you on coordinated disclosure.
Safe harbor
We will not pursue legal action against researchers who:
- Report vulnerabilities in good faith through the channels above
- Avoid privacy violations, service degradation, or data exfiltration
- Give us reasonable time to address the issue before public disclosure
Out of scope
- Automated scanner output without a validated finding
- Denial-of-service, volumetric attacks, or resource-exhaustion testing
- Social engineering targeting MemCyber staff, partners, or clients
- Issues on third-party platforms we do not operate (e.g. Vercel, Web3Forms)
How we protect client data
Every engagement runs under written authorization and a mutual NDA. Reports are delivered encrypted (PGP or your preferred secure channel). Any collected evidence is wiped within 30 days of engagement close unless you explicitly request retention.
Client credentials are stored in password managers with limited access and destroyed at engagement close. We do not share client names, engagement details, or findings publicly without written permission.
security.txt
Our machine-readable policy is published at /.well-known/security.txt.
PGP public key
Encrypt sensitive disclosure material with our PGP key before sending. The public key is armored and served at /.well-known/pgp.asc.