For research collaboration, advisories, engagement scoping, press, or speaking. Sensitive topics — vulnerability reports, embargoed coordination, anything you wouldn't put on a postcard — should come over Signal or PGP-encrypted email. Everything else is fine in plaintext.
Preferred for vulnerability reports and anything sensitive. Disappearing messages on by default.
PGP key fingerprint on request. Use PGP for anything you wouldn't put on a postcard.
Open. Fine for introductions and non-sensitive coordination. Don't put findings here.
For engagement scoping and professional outreach. Slow channel — assume 3–5 days.
If your message is a vulnerability report, you should hear back within one business day with a tracking handle and a request for any clarification I need before I can reproduce. Coordinated disclosure proceeds from there on the standard timeline.
If it's an engagement inquiry, expect a reply within three business days with either a scoping call slot or a polite "not the right fit." I take a small number of engagements and decline more than I accept; the bar isn't budget, it's whether the work is interesting and the customer is going to act on the findings.
If it's press, speaking, or collaboration, the response time depends on what's already in the queue, but you'll always get a real reply.