Security · Coordinated Disclosure

Found a flaw in our surface?
Tell us. We will fix it — fast.

We run offensive security for a living, so we hold our own disclosure process to the standard we expect of every client. This is a coordinated vulnerability disclosure policy aligned to ISO/IEC 29147 and CERT/CC — clear timelines, an honest SLA, and a legal safe harbour for good-faith researchers.

security@axveil.comSee bounty rewards

Last updated: June 2026 · Policy: /.well-known/security.txt

Our disclosure commitments

48 hrs
Acknowledgement

A human reply confirming receipt — never an auto-responder.

5 days
Triage & validation

Severity assigned (CVSS v3.1), reproduction confirmed or queried.

90 days
Coordinated window

Standard embargo from triage before any public disclosure.

Safe
Legal harbour

Good-faith research under this policy is authorised — we will not sue.

00 — The Policy

Coordinated disclosure, done the way we would want it done to us.

This policy governs how to report a security vulnerability in AxVeil-owned property — axveil.com and its subdomains, axveil.ai, the authenticated customer dashboard, and our public APIs. It does not cover vulnerabilities in a client's systems found during an engagement; those go through the client's own channel.

We operate a coordinated model rather than a full-public-disclosure one: you report privately, we fix, and we agree a disclosure date together. The process below is the one we actually run — the same SLA and the same safe-harbour language we are comfortable signing our name to.

01 — The Process

Report to disclosure, step by step.

Six stages, each with a clock you can hold us to. Nothing here is aspirational — these are the timelines we commit to in writing.

  1. 01Day 0

    You report

    Email security@axveil.com (PGP optional) with reproduction steps, affected asset, expected vs. actual behaviour, and an impact narrative. A clean proof-of-concept speeds everything that follows.

  2. 02Within 48 hours

    We acknowledge

    A named operator replies confirming receipt and assigns a tracking reference. If anything in the report is unclear, we ask before the clock on triage starts.

  3. 03Within 5 business days

    We triage

    We reproduce the issue, assign a CVSS v3.1 base score and severity band, and confirm whether the finding is in scope. You receive the validated severity and our planned remediation track.

  4. 04Severity-driven

    We remediate

    Critical fixes target 7 days, High 30 days, Medium 60 days, Low 90 days from triage. We keep you updated at each material step and tell you honestly if a fix needs longer.

  5. 05On fix ship

    We verify with you

    Once the patch is live we ask you to confirm the issue is resolved. If the fix is incomplete, the report reopens — no closing a ticket over an unverified fix.

  6. 06Day 90 (or on mutual agreement)

    We coordinate disclosure

    Public disclosure follows the embargo by mutual agreement. We credit you in the Hall of Fame unless you ask to stay anonymous, and we coordinate CVE assignment via MITRE for findings in third-party software.

02 — What We Ask

Your side of the bargain.

  • Give us reasonable time

    Hold public disclosure for the coordinated window (90 days standard from triage). If a fix is taking longer, talk to us — we would rather extend together than read about it on social media.

  • Minimise harm to data and availability

    Demonstrate impact with the least intrusive proof possible. Do not access, modify, copy, or destroy data that is not yours, and stop at the first record that proves the issue.

  • No DoS, no social engineering, no physical attacks

    Volumetric denial-of-service, phishing of staff or customers, SIM-swap, and physical-access attempts are out of bounds and are not covered by the safe harbour below.

  • Keep findings confidential until coordinated

    Do not share the vulnerability, the report, or any captured data with third parties before the coordinated disclosure date we agree together.

03 — What We Offer

Our side of the bargain.

  • A real, human response

    Acknowledgement within 48 hours and validated triage within 5 business days — from an operator, not a ticketing bot. Even out-of-scope reports get a genuine reply.

  • Transparent remediation tracking

    You stay in the loop from triage to fix verification, with a defined severity-driven SLA you can hold us to.

  • Public credit, on your terms

    Hall of Fame recognition and a credit on /recognition once the fix ships — or full anonymity if you prefer. Your call.

  • Bounty consideration

    High and Critical findings are considered for a monetary reward under the bug bounty programme. Bands and current funding status are published on /security/bug-bounty.

04 — Legal Safe Harbour

Test in good faith. We will not come after you.

We want researchers to feel safe reporting to us. If your security research is conducted in line with this policy, we commit to the following:

  • Conduct that is consistent with this policy is considered authorised access under applicable computer-misuse law, and we will not initiate or support legal action against you for it.
  • We will not report good-faith research conducted under this policy to law enforcement, and we will make our position known if a third party pursues action against you for such research.
  • If legal action is initiated by a third party against you for activity that complied with this policy, we will take reasonable steps to make it known that your actions were authorised.
  • This authorisation does not extend to activity that intentionally harms AxVeil, its customers, or third parties — or to data exfiltration, extortion, or any conduct outside the scope and rules above.

If you are unsure whether a specific action is authorised, ask at security@axveil.com before you proceed. We would rather answer a question than read a report of something that went past the line.

05 — How to Report

One inbox. PGP if you want it.

Primary contact

security@axveil.com

Include the affected asset, reproduction steps, expected vs. actual behaviour, and the impact narrative. PGP key available on request — use it for unpatched Critical findings.

Machine-readable policy

/.well-known/security.txt

Our RFC 9116 security.txt points to this policy and the security contact. Tooling that reads security.txt will route you here automatically.

FAQ

Disclosure questions, answered.

What is the difference between this policy and your bug bounty?+

This page is the coordinated disclosure policy — it defines how to report any vulnerability in AxVeil-owned property, the timelines we commit to, and the legal safe harbour that protects good-faith research. The bug bounty programme (at /security/bug-bounty) sits on top of it and defines reward bands for qualifying in-scope findings. Every bounty submission follows this disclosure policy; not every disclosure earns a bounty.

What is in scope for disclosure?+

Vulnerabilities in AxVeil-owned infrastructure: axveil.com and its subdomains, axveil.ai, the authenticated customer dashboard, and our public APIs. Vulnerabilities you find in a client's systems during an AxVeil engagement are NOT covered here — those must be reported through the client's own disclosure channel. Third-party SaaS we depend on (Stripe, Vercel, Resend, Cloudinary, and similar) should be reported to that vendor directly.

Do I need to encrypt my report?+

Encryption is optional but encouraged for sensitive findings. Our PGP key is available on request at security@axveil.com and referenced from /.well-known/security.txt. If a report contains exploit details for an unpatched Critical issue, please use PGP.

How long do I have to wait before disclosing publicly?+

The standard coordinated window is 90 days from the date we triage the report. If we ship a fix sooner, we are happy to coordinate earlier disclosure with you. If remediation genuinely needs longer — for example a deep architectural fix — we will tell you why and agree an extension together rather than letting the clock run silently.

Will you take legal action against me?+

Not if you act in good faith and stay within this policy. Our safe-harbour commitment treats research conducted under these rules as authorised access. The protection ends the moment activity moves outside scope — data exfiltration, extortion, DoS, or harm to customers voids it entirely.

Can I report anonymously?+

Yes. You can submit without revealing your identity and still receive triage updates via a contact channel of your choice. If you want Hall of Fame credit you will need to supply a name or handle; otherwise the finding is recorded anonymously.

Ready to report?

We take every report seriously and reply within 48 hours — even when the finding is out of scope. A real operator reads it, not a triage bot.

Contact security@axveil.comOur security posture