Vulnerability Disclosure Policy

We welcome reports of security vulnerabilities in our systems and services submitted in good faith.

Reporting a Vulnerability

Please report suspected vulnerabilities to: security@anomalyse.io

Include:

• a description of the issue

• affected URL, endpoint, or component

• steps to reproduce

• proof-of-concept material where relevant

• your contact details

Scope

This policy applies to public-facing systems, services and APIs operated by us.

Research Guidelines

When conducting security research under this policy, you must:

• act in good faith

• avoid privacy violations, data destruction or service disruption

• avoid accessing, modifying, or retaining customer data except where strictly necessary to demonstrate the issue

• avoid actions that would degrade the availability or integrity of our systems

• give us a reasonable opportunity to investigate and remediate before public disclosure

Safe Harbour

We will not pursue legal action against researchers for good-faith testing conducted in accordance with this policy.

This safe harbour does not apply to activity that:

• intentionally accesses customer data beyond what is necessary to demonstrate an issue

• causes service disruption

• involves extortion, social engineering, spam or physical attacks

• violates applicable law

Our Commitments

For valid reports submitted in good faith, we aim to:

• acknowledge receipt within 3 business days

• investigate and validate the issue

• keep the reporter informed of material progress where appropriate

• remediate confirmed issues according to risk and impact

We do not currently operate a public bug bounty programme and do not commit to financial rewards.