Rules of engagement.
We break things to understand them — not to cause harm. Every action we take is bounded by law, guided by ethics, and documented in the open.
We only test what we're authorised to test.
All offensive security research is conducted against systems we own, operate, or have explicit written authorisation to test. This includes bug bounty programmes with published scope, controlled lab environments, and infrastructure we build specifically for research. We never probe, scan, or exploit systems without permission.
Vendors get notified before the public.
When we discover a vulnerability in third-party software, we follow a 90-day coordinated disclosure timeline. The affected vendor is notified immediately with full technical details and reproduction steps. We work with them on remediation. Public disclosure happens only after a patch is available — or after 90 days, whichever comes first. We follow the guidelines established by CERT/CC and the ISO 29147 standard.
We define what's in scope before we start.
Every research engagement has documented scope. We define target systems, permitted techniques, and exclusions in advance. Denial-of-service testing, data exfiltration of real user data, and attacks on critical infrastructure are always out of scope. If we discover we've accidentally touched something outside scope, we stop immediately and report it.
We don't collect, store, or share personal data.
If we encounter personal data during research, we don't capture it. If accidental exposure occurs, we notify the data controller and securely delete our copies. Our published research never contains PII, credentials, or information that could be used to identify or target individuals. We comply with applicable data protection regulations including GDPR.
Our tools are built for defence.
The tools we publish are designed for authorised security testing, research, and education. We include clear documentation of intended use cases and legal considerations. We do not build or distribute tools whose primary purpose is to enable unauthorised access. Dual-use tools include prominent warnings and are published under licences that prohibit malicious use.
We operate within the law.
Our research complies with applicable computer crime legislation including the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and equivalent laws in jurisdictions where we operate. We maintain awareness of evolving legal frameworks around security research and adjust our practices accordingly. When in doubt, we seek legal counsel before proceeding.
We stand behind our work.
Every piece of research we publish is attributed to the collective. We don't hide behind anonymity to avoid accountability. If we make a mistake, we own it publicly and take corrective action. Questions about our research practices can be directed to hello@ninsei.sh.