Operational Doctrine
Capacity Disclosure Policy
MSI
Public surface policy. External research permitted only under controlled alignment and defined scope.
Status
CAPACITY DISCLOSURE POLICY MSI — LASTING LEGACIES STATUS Public surface policy. External research is permitted only under controlled alignment and within defined scope.
I — PREAMBLE
This policy defines the conditions under which external security research may occur against MSI public web surfaces hosted on this domain. It is a boundary instrument. It establishes alignment, authorization, and consequence. Alignment precedes action. Authorization follows alignment.
II — PURPOSE
Our systems exist to preserve continuity, attribution, and structural control. Capacity disclosure exists to reduce systemic drift, identify structural weaknesses, and preserve operational stability. Observation supports alignment. Extraction for advantage does not.
III — AUTHORIZATION
Good-faith research conducted within this doctrine may be treated as authorized capacity testing. Authorization is conditional, limited, and revocable. Authorization remains active only while activity appears aligned with defined scope and intent. Misalignment may trigger reconsideration of authorized standing.
IV — RESEARCH PRINCIPLES
Research operates under strict alignment.
You are responsible for understanding scope before acting.
Lack of familiarity with terminology, structure, or doctrine does not exempt any actor from compliance.
Operate under four constraints:
• Confirm presence. Do not expand surface area.
• Observe structure. Do not alter system state.
• Demonstrate proof. Do not establish persistence.
Report immediately. Do not mistake delay for leverage.
Observation may be documented solely to verify existence of a condition.
Data may not be removed, retained, replicated, or operationalized beyond disclosure.
Crossing scope — even partially — may trigger termination of authorization.
Responsibility remains with the actor.
Exposure of nonpublic data ends testing.
V — PROHIBITED ACTIONS
The following activities are considered misaligned with operational stability and are treated as outside authorized capacity.
• Denial-of-service, resource exhaustion, or traffic amplification testing
• Social engineering, impersonation, or deceptive interaction with operators or users
• Physical intrusion, environmental probing, or facility-based testing
• Persistence mechanisms, privilege escalation, lateral movement, or command-line establishment
• Automated enumeration or scanning that measurably degrades availability or system posture
• Alteration, retention, replication, redistribution, or destruction of data in any form
Authorization is conditional upon preservation of system continuity.
Actions that elevate operational noise, introduce instability, or expand surface area beyond verification thresholds may result in immediate removal from authorized scope.
Alignment is measured by system impact — not stated intent.
VI — SCOPE
Research is limited to this public website and its static assets hosted at {{SITE_URL}}.
In scope includes:
• Pages and assets served from {{SITE_URL}}/*
• Public policy files under {{SITE_URL}}/.well-known/*
Out of scope includes:
• Vendor infrastructure, hosting providers, CDN/control plane, email systems, and third-party integrations
• Any internal environments, non-public systems, or human operators
• Any testing that degrades availability or alters system state (see Prohibited Actions)
If scope is unclear, alignment must be requested before engagement.
Silence does not imply authorization.
VII — ENGAGEMENT PROTOCOL
Researchers must operate within the following engagement expectations:
• Cease testing once a vulnerability is confirmed
• Submit findings through the designated channels
• Remove temporary data copies
• Allow remediation time prior to disclosure
Default stabilization window: 90 days.
Alignment preserves continuity.
VIII — REPORT STRUCTURE
Valid disclosures should contain:
• Structural location
• Mechanism of exposure
• Reproducible steps
• Defined impact boundaries
Signal outweighs volume.
Low-quality or automated submissions may be disregarded.
IX — RESPONSE MODEL
Where contact information is provided, acknowledgement may occur within three business days. Validation and remediation posture may be communicated when appropriate. Identity is not shared without consent.
X — DISCLOSURE WINDOW
Public disclosure is paused while remediation stabilizes. Default guidance: 90 calendar days from acknowledgement. Premature disclosure may increase systemic risk.
XI — DOCTRINE ALIGNMENT
This policy operates under alignment principles: Control before scale. Record before reputation. Structure before expansion. Continuity before complexity. Research that preserves alignment strengthens the system. Misalignment may trigger reassessment of authorization.
XII — COMPLIANCE AND RESPONSIBILITY
All actors bear sole responsibility for reviewing, understanding, and adhering to the boundaries of authorized activity prior to engagement with any MSI surfaces.
Misinterpretation of terminology, alleged unfamiliarity with any provision, clause, notation, or structural designation, or absence of prior knowledge shall not diminish, impede, suspend, or nullify the legal or operational consequences of misalignment.
Authorization under this doctrine is conditional, limited, and revocable.
Authorization remains in effect only while activity appears aligned with defined scope.
Deviation — whether intentional, negligent, or incidental — may result in reconsideration or termination of authorized status.
Upon reconsideration or termination of authorization:
• Activities may be evaluated under applicable statutory, regulatory, and common-law frameworks
• No representation, warranty, or safe harbor is implied beyond the explicit bounds of this policy
• Retroactive claims of misunderstanding do not automatically reinstate authorization
Cooperation remains available to actors operating within alignment.
Protection may not extend to conduct exceeding doctrine boundaries.
Nothing within this policy shall be construed as granting license, ownership, access rights, or continued privilege beyond explicitly defined surfaces.
Alignment precedes action.
Authorization follows alignment.
Unclear scope still carries consequence.