How to report a security issue affecting CoreSecurity-owned public assets without creating unnecessary risk or crossing legal boundaries.
We support good-faith reporting of security issues affecting CoreSecurity-controlled public assets. This page is intended to guide coordinated disclosure and reduce harm. It does not create a bug bounty program, a blanket safe-harbour promise, or permission to test third-party systems, client systems, or private infrastructure.
Last updated
9 April 2026
If you identify a potential issue, report it promptly to the contact form at https://millennialprojects.com/contact with enough detail for us to reproduce and assess it.
Do not exfiltrate data, access accounts, alter content, create persistence, degrade service availability, or interfere with clients, users, staff, or third parties.
We will review legitimate reports, assess impact, and decide on remediation steps based on risk, scope, and operational constraints.
We do not promise payment, public credit, response deadlines, or any particular remediation timeline unless we confirm that separately in writing.
You are responsible for ensuring that your conduct remains lawful. Nothing on this page authorises conduct that would otherwise be unlawful, unauthorised, or harmful under South African law.
If you are unsure whether a test is permitted, stop and contact us before proceeding.
The references below inform this page and point to the official South African sources we relied on. This page is general information and should not be treated as legal advice.
