Vulnerability Disclosure Policy

aisecurity.llc is an AI security engineering firm. We take the security of our own services seriously and welcome responsible disclosure from the security research community. We commit to engaging with researchers in good faith, investigating reports promptly, and providing credit for valid discoveries.

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy.

In Scope

The following are in scope for responsible disclosure:

• aisecurity.llc web application and public services (aisecurity.llc)
• Authentication and session management
• Assessment workflows, credential verification pages, and client-facing portals operated by aisecurity.llc
• API endpoints exposed by our site and services
• Data exposure affecting users of our services

Out of Scope

The following are out of scope:

• Denial-of-service attacks requiring large-scale traffic
• Social engineering of aisecurity.llc staff or contractors
• Physical attacks against infrastructure
• Vulnerabilities in third-party services or dependencies (report to them directly)
• Issues in our own published research or methodology documents (not security vulnerabilities)
• Automated scanner results without demonstrated impact
• Rate limiting or resource exhaustion without demonstrated data or account exposure

High Priority

• Authentication bypass or privilege escalation
• Unauthorized access to user data or accounts
• SQL injection, remote code execution, SSRF
• Cryptographic weaknesses exposing stored data
• AIPSA credential forgery or manipulation

Medium Priority

• Cross-site scripting (XSS) with meaningful data impact
• CSRF with non-trivial security impact
• Information disclosure revealing internal system details
• Business logic flaws with security implications

Lower Priority

• Self-XSS requiring extensive user interaction
• Missing security headers without demonstrated exploitation path
• Clickjacking on non-sensitive pages
• Username enumeration without a practical attack path

4.1 Primary Channel

Email security@aisecurity.llc with the subject line: Security Vulnerability — [Brief Title]

4.2 What to Include

• Summary of the vulnerability
• Affected URL, endpoint, or component
• Vulnerability type (e.g., XSS, IDOR, SQLi)
• Step-by-step reproduction instructions
• Proof of concept (screenshots, HTTP traces, or code — as appropriate)
• Your assessment of potential impact
• Any remediation suggestions you have

4.3 Encrypted Reports

For particularly sensitive reports, request our PGP public key by emailing security@aisecurity.llc before sending sensitive details.

While conducting research, please:

• Minimize any impact to site or service availability or other users
• Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability
• Use your own test accounts rather than real user accounts
• Stop testing immediately if you encounter data that appears to belong to real users
• Do not publicly disclose the issue before we have had a reasonable opportunity to respond

We maintain a public Security Acknowledgments page for researchers who responsibly disclose valid vulnerabilities. We will credit you by name (or alias) with your permission.

We do not currently operate a paid bug bounty program. We are grateful for the time and expertise researchers invest and recognize it through public acknowledgment and, where appropriate, direct thanks from our security team.

aisecurity.llc will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy, including under the Computer Fraud and Abuse Act (CFAA) or equivalent legislation. This protection applies provided the researcher does not:

• Conduct testing outside the defined scope
• Access or exfiltrate data beyond what is necessary to demonstrate the vulnerability
• Publicly disclose the vulnerability before we have had a reasonable opportunity to respond
• Use the vulnerability to attack other organizations or users