Responsible Disclosure
We take the security of AegisWire seriously and value the work of security researchers who help us protect our users. This policy describes how to report vulnerabilities and what to expect from us.
Scope
This policy covers security vulnerabilities in the following AegisWire assets:
Platform Services
Control plane APIs, management portal, provisioning services, authentication and authorisation endpoints.
Client Applications
Desktop clients (macOS, Windows, Linux), mobile applications, and CLI tools distributed by AegisWire.
Marketing Website
The aegiswire.com marketing website, including forms, static assets, and any server-side functionality.
Transport Protocol
The AegisWire secure transport protocol, including key exchange, AEAD encryption, PCS ratchet, and wire format.
How to Report
If your report contains sensitive details, please indicate so in the subject line and we will establish a secure channel for communication.
What to include in your report
- 1 Description — A clear description of the vulnerability, including which asset is affected and the type of issue (e.g., XSS, injection, authentication bypass, cryptographic weakness).
- 2 Reproduction Steps — Detailed steps to reproduce the issue, including any tools, scripts, or configurations used. The more specific, the faster we can triage.
- 3 Impact Assessment — Your assessment of the potential impact: what data is at risk, what actions an attacker could take, and the conditions required for exploitation.
- 4 Environment — The environment where you observed the issue: software version, operating system, browser, network conditions, or deployment model if relevant.
Safe Harbour
Our Commitment
We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they comply with this policy. We consider good-faith security research to be authorised activity.
If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy.
What We Ask
No Denial of Service
Do not perform actions that could degrade service availability for other users. Volumetric testing, resource exhaustion, or intentional service disruption are out of scope.
No Data Destruction
Do not modify, delete, or exfiltrate data belonging to other users. If you accidentally access another user’s data, stop immediately, report it, and do not retain copies.
No Accessing Other Users’ Data
Do not intentionally access, view, or download data that does not belong to you. Use only accounts you own or have explicit permission to test.
Report Before Disclosure
Allow us reasonable time to investigate and remediate before public disclosure. We will work with you on an appropriate timeline and keep you informed of our progress.
Our Response
When you report a vulnerability, here is what you can expect from us:
Acknowledgement
We will acknowledge receipt of your report within 48 hours. You will receive a confirmation that your report has been received and assigned for review.
Triage
Within 5 business days, we will assess severity, confirm validity, and provide an initial response. We may ask clarifying questions to help us reproduce and understand the issue.
Ongoing Communication
We will keep you informed as we work on the fix. If remediation takes longer than expected, we will provide status updates. We believe researchers deserve transparency.
Credit
With your permission, we will publicly credit you for your discovery once the vulnerability has been remediated. We respect your preference for anonymity if you prefer it.
A Note on Bug Bounties
AegisWire does not currently operate a paid bug bounty programme. We are an early-stage company building the foundation of what we intend to be a serious security product. A formal bug bounty programme is on our roadmap as the company scales.
In the meantime, we will credit your contribution, engage with your findings seriously, and treat every valid report as a priority. We genuinely value the work of security researchers.