PDPR (Public Dark Pattern Registry) is a public-interest ethical infrastructure project.
Security for PDPR means:
- Protecting user privacy.
- Preventing misuse.
- Avoiding exploit weaponization.
- Practicing responsible disclosure.
- Minimizing harm.
Security vulnerabilities must be handled quietly, responsibly, and ethically.
This policy applies to:
- Web platform (PWA).
- APIs.
- Detection engines.
- Infrastructure.
- Build pipelines.
- Deployment workflows.
- Documentation pipelines.
If you discover a security vulnerability:
DO NOT open a public GitHub issue.
DO NOT publish exploit details.
Instead, report privately:
π© pdpr@lyfmail.com
Subject: SECURITY REPORT β PDPR
Include:
- Clear description.
- Steps to reproduce.
- Impact analysis.
- Suggested mitigation (if any).
| Stage | Timeline |
|---|---|
| Acknowledgment | within 48 hours |
| Initial assessment | within 72 hours |
| Mitigation planning | within 5 days |
| Patch deployment | based on severity |
| Public disclosure | after patch release |
PDPR follows coordinated vulnerability disclosure.
We commit to:
- Timely response.
- Confidential handling.
- Respectful communication.
- Public transparency after mitigation.
We request researchers to:
- Avoid public disclosure before fix.
- Avoid publishing exploit code.
- Avoid mass scanning or probing.
Valid, responsibly disclosed vulnerabilities may receive:
- Public acknowledgment (optional).
- Contributor recognition.
- Ethical security credit.
No financial bounties currently.
Please do not report:
- Social engineering attacks.
- DDoS threats.
- Spam.
- Brute-force attempts.
- Content moderation disputes.
- UX disagreements.
PDPR is:
- Privacy-first.
- No tracking.
- No user profiling.
- No behavioral analytics.
- Minimal data retention.
Any data exposure is treated as critical severity.
Key principles:
- Client-side scanning.
- Local-first processing.
- Minimal API exposure.
- No user data storage.
- No session recording.
- No invasive scripts.
Security research must not:
- Exploit real users.
- Harvest data.
- Interfere with service.
- Violate privacy laws.
Security decisions are reviewed under:
- Ethics Constitution.
- Governance Framework.
- Legal Safety Policy.
See:
- docs/ethics-policy.md
- docs/governance.md
- docs/legal-safety.md
Security is not just technical β it is ethical responsibility.
We deeply appreciate researchers who help us protect:
Human autonomy, privacy, and trust.
Thank you for contributing responsibly. π