Principles — Santh Project

Responsible Disclosure

All Santh software is open source. If you find a vulnerability in any of our crates — a memory safety issue, an authentication bypass, a sandbox escape, a logic error that compromises security — we want to know.

You cannot discover a vulnerability without exercising it. Reserving the right to decide after the fact what counts as "acceptable testing" is corporate hypocrisy. We will not do this.

You are rewarded. Public credit, CVE acknowledgment, and where applicable, bounty. Regardless of what broke along the way.
We take full responsibility. We wrote the code. If it breaks, that is our bug, not your crime.
We fix it and credit you publicly. Your disclosure becomes a case study in our research.
We never retroactively define "damage" to punish disclosure. If you were testing and something broke, it broke.

The Bright Lines

If you are testing Santh software, three rules apply:

01

Do not use findings against third-party infrastructure.

If you find a vulnerability in our code, report it. Do not use it to target systems or users outside of your own test environment. The flaw is our bug, and we reward finding it. But using it against someone else is outside our protection.

02

Do not access other users' data.

If a flaw exposes data belonging to other users of Santh-hosted services, report it immediately. Do not access, exfiltrate, or leverage it.

03

No deliberate, sustained destruction.

Discovering a flaw and then choosing to weaponize it for permanent harm — after you already know what you found — that is the line. We do not penalize accidental damage from exploration.

Everything else is fair game. Find the bug, report it, get credit.

Data Transparency

This website is a static site hosted on Cloudflare Pages. There is no backend, no database, no user accounts, and no dynamic content. The attack surface is effectively Cloudflare's CDN, which we do not control.

What this site collects:

What exists

Cloudflare edge analytics — page views, country, referrer. Processed at the edge by Cloudflare. No cookies, no PII, no IP storage. We see aggregate counts only.

DNS — Cloudflare DNS with proxied records. Standard HTTPS. No custom logging.

Hard commitments

No tracking cookies

No JavaScript analytics

No browser fingerprinting

No third-party analytics (no Google Analytics, Mixpanel, Segment, Amplitude)

No ad networks, retargeting, or cross-site tracking

No data sales

No user accounts on this site

If this ever changes, this page will be updated before it ships. Not after. The source for this site is open and auditable.

Challenge Anything

If you believe something on this page is wrong, unclear, or incomplete — tell us. Every decision is reviewable. The only requirement is a clear explanation of why.

Contact

Security issues: security@santh.dev — We respond within 24 hours.

Everything else: contact@santh.dev

Confidential: santht@proton.me (end-to-end encrypted via Proton Mail)

How Santh operates.