1. Scope
This policy applies to security vulnerabilities discovered in the Platform, including attestyx.com, attestyx.com/api, attestyx.com/api/registry, and the public APIs.
2. Responsible Disclosure
If you believe you have discovered a security vulnerability, please report it confidentially to [email protected]. Reports should include sufficient detail for us to reproduce and verify the issue. We will acknowledge receipt within 5 business days and provide an estimated remediation timeline within 15 business days.
3. Safe Harbor
We will not initiate civil or criminal legal action against good-faith security researchers who comply with this policy. We consider research to be authorized when it (a) does not access, modify, or destroy data not belonging to you; (b) does not degrade the availability of the Platform for other users; (c) avoids social engineering of our employees, contractors, or end users; and (d) is consistent with the principles in DOJ's legal guidance on the Computer Fraud and Abuse Act for security researchers.
4. Out of Scope
The following are typically out of scope and not eligible for safe harbor: (a) social engineering; (b) physical attacks; (c) third-party services that integrate with the Platform; (d) clickjacking on non-sensitive pages; (e) issues affecting only outdated browsers; (f) self-XSS; (g) reports from automated scanners without contextual analysis.
5. Recognition
We maintain a Hall of Fame for researchers who responsibly disclose qualifying vulnerabilities. We do not currently offer cash bounties; that may change with the SOC 2 Type II completion in 2027.
6. security.txt
The Platform publishes a security.txt file at /.well-known/security.txt per RFC 9116.