Security Policy
How to report security vulnerabilities in Orchid.
Orchid is proprietary software. If you believe you have found a security vulnerability in Orchid — Trellis (server), Petal (agent), the official container images, or the official Terraform/Ansible/Packer deployment artifacts — report it privately to:
security@runorchid.comDo not file security issues in any Orchid source repository, PR, commit message, or chat channel. Public disclosure before coordination forfeits safe-harbor protection.
What to include
- A description of the issue and its impact.
- Steps to reproduce (minimal proof-of-concept preferred).
- Affected component, image tag or version, and environment.
- Any suggested mitigation, if you have one.
PGP
Encrypt reports to the Orchid Security key:
Fingerprint: 925F 279B E759 7DDA 3E31 2E14 59A3 A2B8 F3A2 EA90 Key ID: 59A3A2B8F3A2EA90 UID: Orchid Security <security@runorchid.com> Algorithm: RSA 4096 Expires: 2029-04-15
Public key:
/.well-known/security-pubkey.asc
Unencrypted reports are still accepted — but anything containing reproducible exploit detail or customer-specific impact should be encrypted.
What happens next
Orchid will acknowledge receipt within 2 business days and provide an initial triage decision within 5 business days.
A machine-readable copy of this policy is published at:
https://runorchid.com/.well-known/security.txtNot a security issue?
Functional bugs, outages, and support questions go to
support@runorchid.com,
not the security address.