Terms of Service

1. The Site

undefect.com publishes security research: algorithmic complexity defects (CWE-407) and related findings across open-source software. UNDF identifiers are assigned to each confirmed defect. Patches are provided for upstream submission.

Public access to research content expands progressively as outreach succeeds and upstream patches merge. Some research pages are publicly accessible now. Our full UNDF registry, intel briefs, and detailed patch analysis require login. Legal pages, the donation page, and disclosed research briefings are available without an account.

2. Accounts

Account access is granted by the site operators. By logging in you agree to these terms. You are responsible for keeping your credentials confidential.

Access tiers:

• Public — no login required. Homepage, legal pages, donation, permacomputer, and selected disclosed research pages released as outreach succeeds.
• Internal — login required. Full UNDF registry, intel briefs, MOAD research.
• Private — elevated access. Restricted to site operators.

3. Use of Content

All research, patches, and analysis published here are offered freely for the public benefit of the open-source ecosystem. You may read, share, and link to any page.

You may not republish content in bulk, mirror the site, or present findings as your own work without attribution to undefect.com and the original researchers.

All patches are offered as-is. Apply them at your own risk. Review them before use.

Patches and research will be released under AGPLv3 upon completion of the initial outreach campaign. Until then, all rights are reserved except as stated above.

4. No Warranties

This site and its findings are provided without warranties of any kind, express or implied. UNDF identifiers are assigned by this project independently of any official standards body. They carry no legal weight beyond this publication.

Research findings represent the state of the code at the time of analysis. Projects move fast. Always verify against the current upstream source.

5. Responsible Disclosure

Findings published here follow coordinated disclosure practices. Patches are prepared and submitted upstream before or concurrent with public disclosure.

If you believe a finding contains an error or you are a maintainer of an affected project, contact: security@undefect.com

6. Access and Automated Traffic

This site is operated on infrastructure shared with other services. Automated traffic must identify itself with an accurate User-Agent and must respect robots.txt.

Login endpoints are rate-limited by IP address. Repeated failed login attempts will result in temporary lockout. Attempts to circumvent rate limiting, brute-force credentials, or conduct automated credential attacks are prohibited and may result in permanent IP-level blocks and disclosure to upstream infrastructure providers.

We monitor traffic patterns for abuse, scraping, and attacks. IP addresses that exhibit abusive behavior may have their access restricted or blocked without notice.

If you believe your IP has been incorrectly restricted, contact security@undefect.com.

7. External Links

Links to upstream repositories, patches, and project trackers point to third-party sites. We are not responsible for their content or availability.

8. Changes

These terms may be updated. The effective date at the top of this page reflects the most recent revision.