Obsidian Watch Group

Disclosures

Public commitments. On the record.

This page states the practice's standing policies for visitor telemetry, embargo handling, coordinated vulnerability disclosure, and data retention. These are not legal disclaimers. They are operating commitments the practice can be held to.

D.01

Visitor telemetry.

The public site records normal web-server telemetry: source IP, ASN, timestamp, request path, HTTP method, response status, and user-agent. That data is retained. Where it correlates with active case work, it is documented in the applicable case file under chain of custody.

There is no dynamic tracking, no marketing analytics, no third-party session recording, and no advertising pixel on this site. Telemetry is the request log at the edge, nothing more.

Persistent access patterns from vendors, hosting-provider ranges, and third parties with a demonstrable interest in a matter under investigation are reviewed. Where the pattern is material, it becomes part of the underlying case file. Where the pattern is not material, it stays in the log and is retained per the schedule in section D.04.

If your organization has taken an interest in this site because of an active matter, your access pattern is on the record. The practice's preference is that you reach out through the intake address rather than through a scraping fleet. The record produced by that approach is easier for everyone to work with.

Intake: investigations@obsidianwatchgroup.com. Encrypted: obsidianinvestigations@pm.me (PGP).

D.02

Embargo discipline.

When findings are under embargo, they are not published. That commitment holds under commercial pressure, press pressure, and the practice's own inconvenience.

Embargoed material is not shared with journalists, is not previewed at conferences, is not summarized on social media, and is not referenced obliquely to build anticipation. The material is held until the party running the embargo releases it in writing.

Confidential disclosure channels remain open throughout. Vendor VRPs, federal agencies, sector CERTs, and CNAs receive what they are entitled to under the embargo. Public release is a separate step.

When an embargo is lifted, the practice publishes on the same day the release becomes effective, with the underlying evidence, the vendor's timeline of response, and any public-interest gap the disclosure left unclosed.

D.03

Coordinated vulnerability disclosure.

Findings that identify exploitable weaknesses in third-party products or services are reported to the vendor first, along with a reasonable remediation window. Where the vendor is unresponsive or the risk is systemic, disclosure escalates to the appropriate CNA, sector CERT, or federal agency before it is made public.

The practice does not sell exploits, does not sell vulnerability details to brokers, and does not offer paid non-disclosure to vendors. Vendors who prefer that a finding go away are welcome to remediate the finding.

Independent verification of a published finding is welcome. Every bench finding ships with reproduction steps sufficient for a qualified party to re-run the test. If a vendor disputes a finding, the reproduction appendix is the answer.

D.04

Data retention.

Retention is set by the sensitivity of the material and the audience it is written for.

R.01

Web-server telemetry

Retained at the edge for the provider's rolling window (30 days at Cloudflare) plus a locally archived copy of any window relevant to active case work. Retained through case closure plus applicable regulatory or litigation hold.

R.02

Case evidence

Bench captures, firmware images, hash records, and correspondence are retained under chain of custody for the useful life of the case, plus any applicable litigation or regulatory hold. Not deleted on vendor request.

R.03

Client intake and correspondence

Retained for the duration of the engagement, plus seven years, or per client-specified retention if the engagement carries privilege.

R.04

Whistleblower and source material

Handled per the source's instructions. Where the source requests anonymity, technical metadata is stripped before archival and the source's identity is not retained in any form the practice can be compelled to produce.

Contact

Reach out on the record.

Substantive submissions, coordination requests, and vendor responses go to investigations@obsidianwatchgroup.com. Encrypted intake via PGP at obsidianinvestigations@pm.me. Voice at 931-446-9721. The full PGP fingerprint and public key are in the site footer.

Journalists and litigators requiring a specific chain-of-custody format, a declaration, or coordinated release are asked to identify themselves and their outlet on first contact. Every substantive brief gets a human reply within 48 hours, even when the answer is no.