Legal · responsible disclosure · security researcher safe-harbour

If you find something, tell us. We will not sue you.

BRMSTE LTD publishes a responsible-disclosure policy that surpasses the NCSC Vulnerability Disclosure Toolkit and the ISO/IEC 29147 + 30111 international standards. Good-faith researchers operating within the published scope receive substrate-side safe-harbour from action under the Computer Misuse Act 1990 · the Computer Fraud and Abuse Act · and equivalent statutes globally.

v1.2026.05.16 · contact security@shravanbansal.com · block 946,772

Disclosure floor: NCSC Vulnerability Disclosure Toolkit · ISO/IEC 29147:2018 + ISO/IEC 30111:2019
Safe-harbour scope: Computer Misuse Act 1990 (UK) · Computer Fraud and Abuse Act (US) · Swiss CC Art. 143bis · NIS2 transposition acts · global equivalents
Coordinated-disclosure default: 90 days from triage · variable on agreement
Response SLA: Five working days · founder-reviewed admission
Public ledger: /register/incidents · seventy-two hours from remediation
Contact: security@shravanbansal.com · PGP available on request

Safe-harbour · four binding clauses

BRMSTE LTD undertakes the following toward good-faith researchers.

01Researchers acting in good faith and within the published scope below will not have legal action initiated against them by BRMSTE LTD under the Computer Misuse Act 1990 (United Kingdom) · the Computer Fraud and Abuse Act (United States) · the Swiss Criminal Code Art. 143bis · the EU NIS2 Directive transposition acts · or any equivalent statute in any other jurisdiction.
02BRMSTE LTD will not pursue Digital Millennium Copyright Act anti-circumvention claims against good-faith research that incidentally encounters cryptographic boundaries during in-scope testing.
03BRMSTE LTD will not retaliate professionally against any researcher who follows this policy. Public credit is offered (and waivable on request); private acknowledgement is the default.
04BRMSTE LTD will not require researchers to sign a non-disclosure agreement before reporting. Coordinated-disclosure timing is agreed bilaterally after report receipt.

In scope

brmste.ai · all routes
Including /legal/*, /register/*, /api, /honest-ai, the offering hubs, the domain pages, and the museum surface.
api.brmste.ai
Production API surface · X-Honest-AI header v6 · X-Patent-Anchor header · OAuth 2.1 DCR flow.
mcp.brmste.ai/mcp
BRM-MCP v2 Streamable HTTP endpoint · 66 tools · OAuth 2.1 + bearer-token.
re-tyre.com
Re-Tyre subsidiary surface · same master-frame discipline.

Out of scope

Operator-pack personal email + iCloudDrive
Founder personal infrastructure · social-engineering attempts on the operator are out of scope and may be prosecuted.
Third-party services BRMSTE consumes
Cloudflare · Bitcoin mainnet · OpenTimestamps calendars · GitHub · npm registry · OS package mirrors. Report to the upstream vendor.
Physical-security attacks
Tailgating · social engineering of any party · physical compromise or loss of operator hardware. Report to the police.
Denial-of-service testing without prior written authorisation
DoS / DDoS / load-testing is out of scope absent a signed test agreement; coordinated load-tests can be arranged.

01
Submit the report
Email security@shravanbansal.com (preferred) with the subject prefix [SECURITY-DISCLOSURE]. Include: clear description of the finding · steps to reproduce · scope assessment · suggested remediation if you have one · whether you want public credit. PGP key available on request.
02
Receipt acknowledgement within five working days
Founder-reviewed admission posture applies. A human reads the report and replies with a triage decision (in scope · out of scope · need-more-info) within five working days, or BRMSTE explicitly waives the engagement.
03
Coordinated disclosure timeline
Default ninety-day private window from triage. Earlier disclosure on agreement; later disclosure for issues requiring infrastructure changes. The substrate emits a class=incident StageRecord on remediation; the public-facing disclosure goes to /register/incidents within seventy-two hours of remediation deployment.
04
Public credit + ledger entry
Researcher name (or pseudonym) published at /register/incidents under the remediated finding, unless researcher requests private acknowledgement. The chain anchors the disclosure-event SHA-256.

“If you find a flaw and tell us in good faith, you are safe with us. We will read your report within five working days; we will not sue you; we will credit you (or keep you private) when the finding lands at the public register.”

Responsible disclosure · v1.2026.05.16 · safe-harbour binding by publication

Sealed-oath · binding· block 946,772

← Back to the legal estate

BRM-loading · layering pigment…

If you find something, tell us. We will not sue you.

v1.2026.05.16 · contact security@shravanbansal.com · block 946,772

BRMSTE LTD undertakes the following toward good-faith researchers.

01Researchers acting in good faith and within the published scope below will not have legal action initiated against them by BRMSTE LTD under the Computer Misuse Act 1990 (United Kingdom) · the Computer Fraud and Abuse Act (United States) · the Swiss Criminal Code Art. 143bis · the EU NIS2 Directive transposition acts · or any equivalent statute in any other jurisdiction.

02BRMSTE LTD will not pursue Digital Millennium Copyright Act anti-circumvention claims against good-faith research that incidentally encounters cryptographic boundaries during in-scope testing.

03BRMSTE LTD will not retaliate professionally against any researcher who follows this policy. Public credit is offered (and waivable on request); private acknowledgement is the default.

04BRMSTE LTD will not require researchers to sign a non-disclosure agreement before reporting. Coordinated-disclosure timing is agreed bilaterally after report receipt.

Coordinated disclosure timeline

Default ninety-day private window from triage. Earlier disclosure on agreement; later disclosure for issues requiring infrastructure changes. The substrate emits a class=incident StageRecord on remediation; the public-facing disclosure goes to /register/incidents within seventy-two hours of remediation deployment.

If you find something, tell us. We will not sue you.

BRMSTE LTD undertakes the following toward good-faith researchers.

Submit the report

Receipt acknowledgement within five working days

Coordinated disclosure timeline

Public credit + ledger entry

If you find something, tell us. We will not sue you.

BRMSTE LTD undertakes the following toward good-faith researchers.

Submit the report

Receipt acknowledgement within five working days

Coordinated disclosure timeline

Public credit + ledger entry