Responsible Disclosure
AegisWire is post-quantum secure access infrastructure for regulated industries — and we treat coordinated disclosure as a first-class control, not a courtesy. This policy tells security researchers exactly what is in scope, how to report, and what we commit to in return.
In scope
What we want you to test
This policy covers security vulnerabilities across every layer of the AegisWire platform — from the post-quantum transport itself to the management plane and shipping clients.
Post-Quantum Transport
The AWT_UNIFIED secure transport: hybrid key establishment, identity signatures, record encryption, breach-containment rekey, and the wire format itself.
Control Plane & Gateways
Management platform APIs, the management portal, provisioning and enrolment services, authentication and authorisation endpoints, and the multi-vendor gateway fabric (AWS and Vultr).
Client Applications
The macOS, iOS, Linux, Windows, and Android clients, the developer SDK, and CLI tooling distributed by AegisWire.
Marketing Website
The aegiswire.com marketing website, including forms, static assets, signed update distribution, and any server-side functionality.
Found something that doesn’t fit a category above? Report it anyway — if it affects the confidentiality, integrity, or availability of AegisWire or its customers, we want to hear about it.
Reporting
How to report
If your report contains sensitive details, indicate so in the subject line and we will establish an encrypted channel before you share specifics.
What to include in your report
- 1 Description — A clear description of the vulnerability, including which asset is affected and the type of issue (e.g., XSS, injection, authentication bypass, cryptographic weakness, protocol downgrade).
- 2 Reproduction Steps — Detailed steps to reproduce the issue, including any tools, scripts, or configurations used. The more specific, the faster we can triage.
- 3 Impact Assessment — Your assessment of the potential impact: what data is at risk, what actions an attacker could take, and the conditions required for exploitation.
- 4 Environment — The environment where you observed the issue: software version, operating system, client platform, network conditions, or deployment model (SaaS, dedicated, self-hosted) if relevant.
Good-faith research
Safe harbour
Our commitment
We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they comply with this policy. We consider good-faith security research to be authorised activity.
If a third party initiates legal action against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy.
What we ask
No Denial of Service
Do not perform actions that could degrade service availability for other users. Volumetric testing, resource exhaustion, or intentional service disruption are out of scope.
No Data Destruction
Do not modify, delete, or exfiltrate data belonging to other users. If you accidentally access another user’s data, stop immediately, report it, and do not retain copies.
No Accessing Other Users’ Data
Do not intentionally access, view, or download data that does not belong to you. Use only accounts you own or have explicit permission to test.
Report Before Disclosure
Allow us reasonable time to investigate and remediate before public disclosure. We will work with you on an appropriate timeline and keep you informed of our progress.
What to expect
Our response
When you report a vulnerability, here is what we commit to:
Acknowledgement
We will acknowledge receipt of your report within 48 hours. You will receive a confirmation that your report has been received and assigned for review.
Triage
Within 5 business days, we will assess severity, confirm validity, and provide an initial response. We may ask clarifying questions to help us reproduce and understand the issue.
Ongoing Communication
We will keep you informed as we work on the fix. If remediation takes longer than expected, we will provide status updates. We believe researchers deserve transparency.
Credit
With your permission, we will publicly credit you for your discovery once the vulnerability has been remediated. We respect your preference for anonymity if you prefer it.
A note on bug bounties
AegisWire operates coordinated disclosure with researcher credit rather than a paid public bounty programme.
In the meantime, we credit every contribution, engage with your findings seriously, and treat every valid report as a priority. We genuinely value the work of security researchers.
Security posture
Built for the controls these audits examine
Coordinated disclosure is one part of a fail-closed posture. AegisWire’s engineering, change-control, and traceability practices are built to the controls examined under SOC 2, ISO 27001, GDPR, and HIPAA-style review.