Responsible rules for researcher participation

Researchers may only test targets, assets, applications, APIs, repositories, or environments that are explicitly listed in an active SternSleuth program or written customer authorization. If a target is unclear, out of scope, or newly discovered, pause and request clarification before continuing.

Do not test third-party systems, personal accounts, customer data, employee devices, suppliers, cloud tenants, or infrastructure unless the program scope clearly permits that activity.

SternSleuth prioritizes validated signals over disruptive testing. Researchers must avoid denial-of-service, destructive payloads, persistence, malware, credential theft, social engineering, spam, physical attacks, and any activity that could degrade service availability or business operations.

Where proof is needed, collect the minimum safe evidence required to demonstrate impact. Do not access, modify, exfiltrate, or disclose sensitive data beyond what is strictly necessary for responsible validation.

Treat all customer environments, researcher communications, signals, validation artifacts, reports, and program details as confidential. Do not publish, share, sell, or reuse customer information without written permission from SternSleuth and the affected customer.

If personal data, secrets, credentials, payment data, health data, or other sensitive information is encountered, stop testing that path and report the exposure through the approved SternSleuth workflow.

Submissions must be accurate, reproducible, and grounded in observed evidence. Do not submit fabricated findings, duplicate reports under alternate identities, automated noise, copied third-party reports, or claims that exceed the available proof.

A strong signal should explain the affected asset, observed exposure, business impact, safe reproduction steps, confidence level, and recommended next validation or remediation action.

Researchers must not demand payment outside the platform, threaten public disclosure, contact customers through unapproved channels, or use discovered exposure as leverage. Coordinated disclosure, bounty decisions, and remediation communication must stay inside approved SternSleuth workflows.

Researchers must use their own verified profile and keep account information accurate. Reputation, eligibility, stipend access, private program invitations, and payout review can be affected by signal quality, conduct, duplicate behavior, collaboration history, and compliance with program rules.

SternSleuth may pause submissions, remove program access, withhold platform privileges, escalate abuse, or close researcher accounts where this Code of Conduct, program rules, legal requirements, or customer safety boundaries are violated.

To report a conduct issue or request scope clarification, contact founder@sternsleuth.dev.