Responsible Disclosure Policy
Last updated: February 2026
How Pruva Handles Vulnerability Data
Pruva only processes security advisories that have already been publicly disclosed through established channels (GitHub Security Advisories, NVD, vendor security bulletins).
Pruva does not:
- Discover or disclose new vulnerabilities
- Process embargoed or non-public vulnerability information
- Publish reproductions for vulnerabilities before public disclosure
- Contact affected vendors or coordinate disclosure
Embargo Support
If a published reproduction references a vulnerability that is under active embargo or was inadvertently published before the intended disclosure date, please contact us immediately. We will promptly retract the reproduction until the embargo is lifted.
Retracted reproductions are marked with a clear retraction notice and their scripts are removed from public access.
Reproduction Content
Reproduction scripts published by Pruva are designed to demonstrate a vulnerability's existence in controlled conditions. They are:
- Generated by automated agents in sandboxed environments
- Tested only against locally-built instances of affected software
- Intended for defensive security research and verification
- Not optimized for offensive use or weaponization
Pruva follows the principle that verified public reproduction helps defenders by enabling them to confirm whether their systems are affected and validate that patches are effective.
Reporting Issues with Reproductions
If you believe a reproduction is inaccurate, contains errors, or should be retracted for any reason, please report it:
- Open an issue on the Pruva GitHub repository
- Include the REPRO ID and a description of the concern
We aim to review and respond to all reports promptly.
Reporting Security Issues in Pruva
If you discover a security vulnerability in the Pruva platform itself (the website, API, or infrastructure), please report it responsibly:
- Open a private security advisory on the Pruva GitHub repository
- Include steps to reproduce, expected vs. actual behavior, and any relevant details
Do not open public issues for security vulnerabilities in Pruva itself.
Disclaimer
All reproduction content is generated by automated systems and provided for informational purposes only. Pruva makes no guarantees regarding the accuracy or completeness of any reproduction. See our Terms of Service for full disclaimers.