Public-safe method kit and AI-OS for responsible bug hunting, evidence review, redaction, and report preparation.
Responsible testing starts before any request is sent.
Write down the program, lab, toy environment, or permission source. If you cannot name the permission source, do not test the system.
List what is allowed, what is out of scope, and what actions are explicitly disallowed. Treat unclear scope as a stop sign.
Use only accounts and objects that you created for the test. Do not access third-party data, even if it appears reachable.
Prefer read-only checks first. If a state change is needed, make it reversible, small, and allowed by scope.
Stop immediately if private third-party data appears, a flow reaches payment completion, the test would send repeated notifications, or the next step would require guessing identifiers or secrets.
Capture only the minimum proof needed. Redact before storing or sharing. Keep private evidence outside this public repository.
Submit only through the authorized disclosure channel. Be precise about impact, limitations, and the safe boundaries used during testing.
For AI-assisted work, pair this model with the AI-OS Safety Contract and AI-OS Decision Gates.