Responsible Disclosure

Effective: 2026-04-22 · Version 1.0

Securie runs a public responsible-disclosure program. Security researchers who report vulnerabilities in good faith are welcome, and we commit to treating every report with the seriousness it deserves.

How to report

Email security@securie.ai with:

• A description of the vulnerability and its impact.
• Steps to reproduce (code snippets, HTTP requests, etc.).
• Any proof-of-concept artifacts.

For sensitive reports, encrypt with our PGP key at /.well-known/securie-pgp.asc.

Our commitments

• Acknowledge within 24 hours of receipt.
• Triage verdict within 5 business days (accepted, duplicate, informational, or rejected with reasoning).
• Fix within 30 days for high + critical; 90 days for medium; best-effort for low / informational.
• Coordinated disclosure: we credit you publicly (optional) and publish advisory + CVE when the fix ships.

Safe harbor

Good-faith security research against Securie's own surfaces is authorized. We will not pursue legal action for:

• Testing against your own Securie-installed repositories.
• Non-destructive proof-of-concepts that do not access other tenants' data.
• Reporting through the channels above without prior public disclosure.

Out of scope

• DoS / resource-exhaustion attacks against production services.
• Social engineering of Securie employees or customers.
• Vulnerabilities in third-party services we depend on — report those upstream.
• Findings requiring physical access to our infrastructure.

Bug-bounty rewards

Rewards are discretionary and scale with severity + quality of report. Range: $250 (low) – $10,000 (critical-unique). Duplicate reports go to the first substantive submitter.