DRG 007
SHEET 01 / 08
SCALE DISCLOSURE
ISSUED 26.04.2026
REV A · ROUTE-PUBLIC
// SHEET 01 OF 08 DRG-007 · SECURITY ROUTE · REV A · ROUTE-PUBLIC
exhibit g responsible-disclosure surface not a bounty programme
blackmenta.com/security · security.txt aligned · good-faith research only
G security datum · route, not theatre · named contact
$ security blackmenta

security is a route not a slogan

what we promise
a named route · a clock
safe-harbor boundary
what we don’t promise
a bounty · instant fix · PGP yet
// disclosure.v0 Find something real. Report it cleanly.
Do not harm users, data, systems, or the structure.
DIM: 6 in-scope surfaces · 5-step SLA · 0 bounty · 0 PGP yet
contactnamed
scopedrawn
SLA5-step
bountynone
PGPpending

Responsible disclosure. Minimal proof only. No destructive testing.

BlackMenta Ltd publishes this page as the public route for security researchers, reviewers and coordinated-disclosure contacts. The purpose is not to perform security theatre. The purpose is to make the right contact, scope, evidence standard and response path visible before anything goes wrong.

→ report security issue · security@ · view security.txt draft →
responsible disclosure no bounty promise minimal proof only PGP pending publication
no destructive testing no social engineering no DoS no extraction of reviewer data
contactsecurity@blackmenta.com
specRFC 9116 aligned
acknowledge≤24h critical · 0–2 BD standard
crediton request, post-fix
checksum scope · report · safe-harbor · response · security.txt · PGP
BM / DISCLOSURE SURFACE scope → report → safe-harbor → response → coordinate
▶ Report security issue View security.txt →
01 · contact before content 02 · scope before testing 03 · evidence before exploit 04 · clock before claim
// EX.X · DISCLOSURE PERIMETER What this page is not.
not a bug bounty no payment signal, no reward programme, no contract or obligation to pay for reports.
not a recruiting page no hiring field in security.txt, no “join us” ladder, no funnel disguised as disclosure.
not theatre no “our security is our priority” tagline. boring, concrete, technically testable, or it doesn’t belong here.
not authorisation to break things safe-harbor is bounded; destructive testing is out of scope and out of safe-harbor.
not a PGP placeholder no fake fingerprint. no “PGP coming soon” theatre. encryption appears when the production key is ready.
not a status page operational health and uptime live on the status page; this page is policy, not telemetry.
// security register

Four controls visible before any report.

contact · scope · protocol · encryption
SR.01
contact

Named route

Reports go to security@blackmenta.com. Non-security legal, preview or press requests should not be routed here. Public surface health is on /status.

Open report
SR.02
scope

No guessing

Owned domains, public web surfaces and auth-related BlackMenta surfaces are named explicitly. Third-party platforms are routed to their owners.

See scope matrix
SR.03
protocol

Evidence standard

Valid reports include impact, reproduction steps, affected URL, environment and minimal proof. No exploitation beyond confirmation.

See report format
SR.04
encryption

PGP status honest

Until a production PGP key and fingerprint are published, encrypted reporting is available on request — not falsely advertised as live.

See PGP status
// disclosure routes

Four lanes. Pick the right one.

a misrouted report is a delayed report
DR.01 security

security@

Vulnerability reports, safe-harbor questions, disclosure coordination. The named route on this page.

security@ → DR.02 legal

legal@

Formal notices, counsel routing, legal escalation and IP/security overlap. When the report has a legal-side angle.

legal@ → DR.03 reviewer

preview@

Reviewer access, diligence documents and gated security/privacy details. Not for vulnerability reports themselves.

preview@ → DR.04 general

hello@

Non-sensitive feedback, corrections and non-security page issues. Misrouted reports get rerouted — ideally inside the SLA.

hello@ →
// SHEET 02 OF 08 · SCOPE MATRIX

Research scope, drawn plainly.

REF 02.X · ALLOW / ROUTE / DENY · 6 SURFACES

Each surface has one of three dispositions: in scope (testing welcomed within rules), route (belongs to another owner), or out (not authorised — safe-harbor does not apply).

ref surface scope rule status
02.1 blackmenta.com Public website, static pages, link routing, headers and public forms owned by BlackMenta. in scope
02.2 auth surface auth.blackmenta.com authentication, preview routing and session handling, where testing does not attack other users or bypass access rules. in scope
02.3 ai / menta Prompt-boundary, public-corpus leakage and routing issues, provided no private reviewer material is extracted, retained or redistributed. in scope
02.4 third parties Cloud, mail, fonts, payment, calendar, analytics or infrastructure providers not controlled by BlackMenta must be reported to the relevant provider. route
02.5 humans Social engineering, phishing, coercion, pretexting, employee impersonation or attacks on counsel, reviewers, partners or family members. out
02.6 availability DDoS, rate-limit exhaustion, spam floods, destructive load testing, resource abuse or any test intended to degrade service. out
Architectural rule: if a surface is not on this matrix, it is out of scope by default. Safe-harbor follows the matrix — it does not extend to anything outside it.
// SHEET 03 OF 08 · REPORT FORMAT

A good report is short, reproducible, harmless.

REF 03.X · EVIDENCE STANDARD · MINIMAL PROOF

Report the issue, not the trophy. Security reports should prove that a weakness exists without collecting unnecessary data, escalating privileges beyond the minimum proof, persisting access, or creating a second risk while documenting the first.

reffieldrequired contentstatus
RF.01
subject line
Security Report [BlackMenta] · short vulnerability name
REQUIRED
RF.02
affected URL
Specific endpoint, host or surface where the issue is reproducible
REQUIRED
RF.03
reproduction steps
Numbered steps a reviewer can follow to reproduce the issue safely
REQUIRED
RF.04
expected vs actual
What the system should do under the trigger; what it actually does
REQUIRED
RF.05
impact
Honest impact assessment: confidentiality, integrity, availability, scope
REQUIRED
RF.06
environment
Browser, device, account type used during reproduction
PREFERRED
RF.07
proof artefacts
Minimal screenshots or request snippets — redacted of unrelated data
PREFERRED
RF.08
do not include
Credentials, private documents, malware, stolen data, exploit chains beyond proof
FORBIDDEN

Minimal evidence, maximum clarity. Include enough detail for a reviewer to reproduce the issue safely. Omit secrets, private user data, exploit weaponisation, unrelated screenshots and unnecessary personal information.

// SHEET 04 OF 08 · SAFE-HARBOR RULES

Good faith is bounded.

REF 04.X · RESEARCHER CONDUCT · 2 SIDES

BlackMenta does not authorise destructive research. The safe-harbor posture is intended for good-faith, privacy-respecting, promptly reported security research within the stated scope. Outside that boundary, no safe-harbor applies.

04.A · PERMITTED
// inside the boundary

Permitted research

Good-faith conduct · safe-harbor applies
  • Minimal testing on in-scope systems
  • Prompt reporting via security@
  • No persistence beyond minimum proof
  • No data retention after report
  • No user impact in testing
  • No public disclosure before coordination
  • No attempt to monetise findings through pressure
good faith vs harm
04.B · PROHIBITED
// outside the boundary

Prohibited conduct

No safe-harbor · counsel-routed
  • Social engineering · spam · phishing
  • Denial-of-service · load attacks
  • Physical attacks · pretexting
  • Extortion · payment pressure
  • Malware · destructive actions
  • Credential theft · account access
  • Extraction of private reviewer materials
LEFT: in scope + good faith = safe-harbor RIGHT: any item = no safe-harbor EITHER SIDE: BlackMenta retains all rights to seek legal remedy where safe-harbor does not apply.
// SHEET 05 OF 08 · RESPONSE CLOCK

Reports need a clock.

REF 05.X · TARGET SLAS · 5 STAGES

No promise of an instant fix. A promise of a clear sequence: receipt, triage, status, remediation, credit. Misrouted reports are rerouted inside the same SLA.

// the response sequence
RC.01
0–2 days
Acknowledge receipt or reroute if the report does not belong to the security inbox. Critical reports trigger ≤24h escalation. An acknowledgement is not a triage outcome.
ACK
RC.02
≤5 days
Initial triage: validate scope, request missing reproduction detail, classify likely severity. The classification can change with new evidence.
TRIAGE
RC.03
≤10 days
Status update for valid reports, including whether the issue is accepted, duplicate, informational or out of scope. Out-of-scope is honest, not silent.
STATUS
RC.04
severity-based
Remediation timing depends on risk, exploitability, third-party involvement, legal review and whether a coordinated disclosure date is needed.
RESOLVE
RC.05
after fix
Researcher credit may be given in a Hall of Thanks if requested and if disclosure does not increase risk. Credit is opt-in, not automatic.
CREDIT
// SHEET 06 OF 08 · SECURITY.TXT

Machine-readable contact.

REF 06.X · RFC 9116 · DRAFT

Recommended public location: https://blackmenta.com/.well-known/security.txt. Do not publish an Encryption: field until a real production PGP key URL and fingerprint are available. The draft below shows what gets published and what is intentionally omitted.

/.well-known/security.txt DRAFT · RFC 9116 
Contact: mailto:security@blackmenta.com
Policy: https://blackmenta.com/security
Acknowledgments: https://blackmenta.com/security#thanks
Preferred-Languages: en, de
Canonical: https://blackmenta.com/.well-known/security.txt
Expires: 2027-04-25T23:59:59Z

# Encryption field intentionally omitted until production PGP key is published.
# Hiring field intentionally omitted.
# Bounty field intentionally omitted; BlackMenta does not promise a bug bounty.
Honesty rule: if a field is not yet true, the field is omitted with a comment line explaining the omission. Empty placeholders attract bad reports; honest gaps attract good ones.
// SHEET 07 OF 08 · ENCRYPTION STATUS

PGP should be true or absent.

REF 07.X · KEY HYGIENE · 4 RULES

A PGP key advertised before it is operational is worse than no PGP key. The four rules below stop the most common security-page failure: a placeholder fingerprint that points to a key nobody actually controls.

ref item public position status
07.1 production key Not published in this draft. Publish only when the key is generated, stored, rotated and owned under the right operational control. pending
07.2 fingerprint Do not show a placeholder fingerprint. Once live, display the full fingerprint on the security page and link the public key from security.txt. pending
07.3 urgent secrecy If encryption is necessary before key publication, request a secure channel by email without sending the vulnerability details first. route
07.4 key rotation Production key should have owner, expiry, rotation plan and revocation procedure before publication. No vanity keys. control

Reviewer security details are gated.

This page is the public disclosure route. Detailed infrastructure architecture, tenant separation, key management, audit logs and reviewer-side security controls are released through auth.blackmenta.com — to verified counsel, security researchers and capital under NDA.

▶ Request security pack
01IdentifyResearcher, counsel, reviewer.
02RouteDisclosure, audit, infrastructure or coordination lane.
03DisclosePublic policy → security pack → reviewer-side detail.
no lane fits? → security@blackmenta.com
// SHEET 08 OF 08 · APPENDICES

Other pages, in any order.

REF 08.X · 5 NODES

Home · the thesis · the system · the people · the receipts.

A.00
// home

The holding entity, the legal wall, the public surface

BlackMenta Ltd · № 16988667 · the public cover sheet for the IP holding entity behind this disclosure route.

read
 A.01
// the thesis

Why the live event economy needs rebuilding

$652B industry running on spreadsheets and 30-day settlement. Five problems in parallel, five forces converging in 2026.

read
 A.02
// the system

An operating system for the space between the tools

9 objects, 5-step loop, 1 wall, 1 pilot. Architecture brief for the operating entity’s coordination layer.

read
 A.03
// the people

The filter, the standard, and the anchors

The ten-year test. House rules. Non-negotiables. Counsel of record. Origin respected.

read
 A.05
// the receipts

Regulatory, jurisdictional, privacy references

Specific statutes. Jurisdictional map. Privacy stance, plainly stated. Glossary, FAQ.

read
// NOTES · DRG-007 · GENERAL

Notes.

  1. N.01 Safe-harbor follows the scope matrix. Conduct outside the matrix is outside safe-harbor — even when reported in good faith. → see Sheet 02 + Sheet 04
  2. N.02 No bug bounty. Researcher credit is opt-in, post-fix. This page does not create a payment programme, contract or employment relationship. → see Sheet 05 · RC.05
  3. N.03 PGP is honest or absent. No placeholder fingerprints; no “Encryption: coming soon” in security.txt. The field appears when the key is real. → see Sheet 07 · PGP
  4. N.04 Minimal proof. The reporter who escalates beyond the minimum needed to demonstrate the issue creates a second risk while documenting the first. → see Sheet 03 · RF.07–RF.08
  5. N.05 Coordinated disclosure: security@blackmenta.com. Public disclosure should be coordinated only after validation, remediation and a mutually reasonable publication window.
// END OF NOTES · NTS · UNLESS OTHERWISE SPECIFIED DRG-007 · REV A
// SIG.01 · DRAWN BY Security Architect Disclosure policy · RFC 9116
2026-Q1 · internal
// SIG.02 · CHECKED Counsel of Record Safe-harbor · Disclosure law
2026-Q2 · engaged
// SIG.03 · OWNER BlackMenta Ltd № 16988667 · IP Holding
2026 · disclosure surface
// SIG.04 · STATUS Route-public · Rev A Disclosure · No bounty
last updated 2026-04
// DRAFTING STANDARD · BS 8888 SPIRIT · NTS RESPONSIBLE DISCLOSURE · NO BOUNTY PROMISE
// end of drawing 007 · 8 sheets
/security · the disclosure route · 2026
DRG-007 REV A · 8 SHEETS · DISCLOSURE · ROUTE-PUBLIC · NO BOUNTY