Responsible disclosure
security@aiarco.com — 24h ack, 90 days for critical fix, safe-harbour for good-faith research.
What it is
We welcome reports from security researchers. Email security@aiarco.com with steps to reproduce, expected vs actual behaviour, and any artefacts. PGP key on request.
Scope: all *.asc.aiarco.com and *.aiarco.com subdomains; the control-plane API (api.asc.aiarco.com/v1/*); the official SDKs (pip:aiarco, npm:@aiarco/sdk) and CLI (asc).
Out of scope: third-party services we don't operate; social engineering of our staff; physical attacks on data centres; denial-of-service tests against production.
Safe harbour: good-faith research within scope is authorised. We won't pursue legal action provided you (1) avoid data exfil beyond proof, (2) don't degrade production, (3) report privately, and (4) give us a reasonable window to fix before disclosure.
Response SLA:
- 24 h — acknowledgement.
- 7 days — triage decision (in scope, severity).
- 90 days — fix for critical / high; 180 days for medium / low.
- Public credit on our security Hall of Fame (opt-in).
We do not yet run a paid bug bounty. We do gift swag for valid reports.
Quickstart
# Send report — encrypt to security@aiarco.com if you'd like
echo 'mailto:security@aiarco.com'# n/a// n/aLimits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Ack SLA | 24 h | — | |
| Critical fix SLA | 90 days | — |