Public alpha. Stripe Live in ~2 weeks. → Get on the launch list
SecurityResponsible disclosure

Responsible disclosure

Status: stub. Day 5 will publish the actual PGP key fingerprint and bug bounty schedule.

Contact

  • Email: security@worker-os.com
  • PGP key: /pgp-key.asc (fingerprint published on key rotation)
  • Out-of-band escalation: @worker-os on GitHub

Scope

In scope:

  • The CLI (this repo).
  • The control plane at api.worker-os.com.
  • This documentation site.

Out of scope:

  • DoS / volumetric attacks on Cloudflare’s edge — report to Cloudflare’s bug bounty.
  • Stripe / external SaaS integrations — report to those vendors.

Process

  1. We respond within 24h to confirm receipt.
  2. We publish a written postmortem within 72h for any P1 incident, signed by the Core Team. Postmortems are public; affected tenants are notified privately first.
  3. Critical patches ship as out-of-band releases, signed and verifiable.

A note on attribution

This project is authored under the WOS Core Team brand — see the docs README for the doctrine. Reporters are credited in postmortems by name (or pseudonym, your choice). The Core Team is not.

For your compliance teamTier-2 Japanese KYC