AIARCOASC Docs

Responsible disclosure

security@aiarco.com — 24h ack, 90 days for critical fix, safe-harbour for good-faith research.

What it is

We welcome reports from security researchers. Email security@aiarco.com with steps to reproduce, expected vs actual behaviour, and any artefacts. PGP key on request.

Scope: all *.asc.aiarco.com and *.aiarco.com subdomains; the control-plane API (api.asc.aiarco.com/v1/*); the official SDKs (pip:aiarco, npm:@aiarco/sdk) and CLI (asc).

Out of scope: third-party services we don't operate; social engineering of our staff; physical attacks on data centres; denial-of-service tests against production.

Safe harbour: good-faith research within scope is authorised. We won't pursue legal action provided you (1) avoid data exfil beyond proof, (2) don't degrade production, (3) report privately, and (4) give us a reasonable window to fix before disclosure.

Response SLA:

  • 24 h — acknowledgement.
  • 7 days — triage decision (in scope, severity).
  • 90 days — fix for critical / high; 180 days for medium / low.
  • Public credit on our security Hall of Fame (opt-in).

We do not yet run a paid bug bounty. We do gift swag for valid reports.

Quickstart

# Send report — encrypt to security@aiarco.com if you'd like
echo 'mailto:security@aiarco.com'
# n/a
// n/a

Limits & quotas

LimitDefaultBurstNotes
Ack SLA24 h
Critical fix SLA90 days