Classification Policy

Last updated: May 2026 · What can't go on HyveHeim, and where it belongs instead.

🛑 The short version

HyveHeim is a public, browser-rendered open-source intelligence platform. It is not an accredited handler for classified, security-restricted, or otherwise protectively-marked material. Posting that material here breaks the law in most jurisdictions, exposes you to professional + criminal consequences, and exposes us to enforcement action.

Don't do it. The platform blocks the obvious markings at submission and logs the attempt for operator review. The full policy follows.

1. Why this matters (and why we can't just "make a private board")

The platform runs in a web browser. Browsers leak. Extensions can read the page. The OS can screenshot. Devtools is one keystroke away. Service workers cache content. Same-origin policy helps; it doesn't make a browser tab a compartmented secure environment.

For genuinely classified or security-restricted material, the host environment must be accredited for the relevant classification level. Common-public-cloud + browser-side rendering doesn't qualify under:

UK Government Security Classifications Policy (Cabinet Office, current version) — OFFICIAL-SENSITIVE and above require approved handling environments.
UK Aviation Security Act 1982 + DfT TRANSEC guidance — UK aviation security restricted material has its own handling rules and accredited channels.
EU classifications (Council Decision 2013/488/EU) — RESTRICTED and above require accredited CIS (Communication and Information Systems).
US SSI under 49 CFR Part 1520 — Sensitive Security Information is legally protected; "covered persons" (including platform operators with knowledge) have non-disclosure obligations. Disclosure is enforceable.
NATO classifications (C-M(2002)49) — classified material requires accredited NATO COMSEC systems.
ICAO Annex 17 security-restricted material — Annex 17 + Doc 8973 specify handling.
TLP (Traffic Light Protocol, FIRST.org) — TLP:RED is for named recipients only; TLP:AMBER+STRICT for the recipient organisation only.

So when someone asks why we can't host "just a private aviation security board for vetted professionals" — the answer is that the laws above don't care how many bouncers we hire at the door. They care whether the room itself is approved. The browser-based room never will be.

2. What's blocked automatically

At submission time we scan post title + body for protective markings. Any match triggers one of three actions:

block — the post is rejected, you see a clear error, an operator alert is logged.
warn — the post passes (because the marking might be from a quote, paper title, or news article) but operators get an alert.
info — silent log only.

The current marking set, by jurisdiction:

UK: OFFICIAL-SENSITIVE, UK SECRET, UK TOP SECRET, AVSEC/TRANSEC RESTRICTED.
EU: EU RESTRICTED / RESTREINT UE, EU CONFIDENTIAL / CONFIDENTIEL UE, EU SECRET / SECRET UE, EU TOP SECRET / TRÈS SECRET UE.
US: CONFIDENTIAL, SECRET, TOP SECRET, SSI (49 CFR 1520), CUI, FOUO, NOFORN.
NATO: NATO RESTRICTED, NATO CONFIDENTIAL, NATO SECRET, COSMIC TOP SECRET.
ICAO: ICAO Restricted, Annex 17 Security-Restricted.
TLP: TLP:RED (block), TLP:AMBER+STRICT (block), TLP:AMBER (warn).
Caveats: EYES ONLY, ORCON, REL TO <country code>.

When a post is blocked you get a message naming the matched marking + a link to this page. The blocked body is not stored — only a SHA-256 hash + the marking labels, so we can spot repeat-offender patterns without persisting your restricted text.

3. What we mean by "public-domain"

HyveHeim is for material that has been openly published, can be cited by URL, and is lawful to discuss publicly. Examples of fair game:

News articles, including ones about security incidents or breaches.
Government open-data releases, NOTAMs (the public ones), gazette notices, accident-investigation final reports (NTSB, AAIB, BFU, etc).
Vulnerability advisories that have been publicly disclosed (post-embargo, vendor-published).
Academic papers, conference talks, public testimony to legislative bodies.
Anything a journalist has already published.

Examples of NOT fair game, even if you came across it through your job:

Airport security procedures, screening protocols, threat assessments (whether labelled OFFICIAL-SENSITIVE / AVSEC RESTRICTED or just understood to be).
Operator Security Programmes (airline/airport ASP, ground handler SP).
Pre-disclosure vulnerability details (you got an early heads-up because you're on a security mailing list → embargo applies).
TLP:RED / TLP:AMBER+STRICT intel you received in your professional capacity.
Anything classified, regardless of marking — if you know it's classified, it stays off the platform.
Internal procedures, schedules, route plans, vetting status of named individuals.

"But it'll leak anyway" is not an exception. Neither is "everyone in the industry knows this". If it's protected, you don't get to be the leak.

4. Where the restricted material actually belongs

If you're an aviation security professional with material that doesn't fit here, your options are:

UK: DfT TRANSEC's restricted info-sharing channels; your operator's Security Department; UK CAA inspection routes.
EU: EASA's secure sharing tools; your member-state national aviation authority.
US: TSA's SSI portals (covered persons get access via TSA); airport security committees.
Cyber (TLP intelligence): ISACs (Aviation ISAC, FS-ISAC, etc), CISA's CTIIC, NCSC-UK's CiSP, your sector CERT.
NATO material: NATO Office of Security accredited channels only.

If you don't know the channel for your jurisdiction + clearance level + topic, that's a signal you shouldn't be posting that material anywhere yet, including here. Your security office can tell you.

5. If you find restricted material on HyveHeim

Use the in-product flag with reason "restricted_content", or email contact form. We treat these as priority and remove within 4 business hours of receipt. Severe cases (classified material from a known leak source) are escalated to operator-on-call and, where required, reported to the appropriate authority.

6. False positives + appeals

If your post was blocked but the marking was incidental (you were quoting a news article that mentioned "TLP:AMBER" in passing, you were discussing the marking itself as in this very page), email contact form with the post title + the relevant excerpt + context. We re-review within 7 days. False-positive rate on the current ruleset is low but non-zero.

7. Future

We are not building a "private board for vetted security professionals" feature in Mímir. The legal and architectural barriers above don't go away with a permission check. If there is enough demand for a separate, properly-accredited handling environment, that would be a different product with its own legal review, accreditation, hosting, and probably its own corporate entity. Until then, this policy applies.

8. Contact

Report restricted material on the platform: contact form
Appeal a block / false-positive: contact form
General privacy / data: contact form