Vulnerability Disclosure Policy

Responsible Disclosure

AegisWire is post-quantum secure access infrastructure for regulated industries — and we treat coordinated disclosure as a first-class control, not a courtesy. This policy tells security researchers exactly what is in scope, how to report, and what we commit to in return.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

In scope

What we want you to test

This policy covers security vulnerabilities across every layer of the AegisWire platform — from the post-quantum transport itself to the management plane and shipping clients.

Post-Quantum Transport

The AWT_UNIFIED secure transport: hybrid key establishment, identity signatures, record encryption, breach-containment rekey, and the wire format itself.

ML-KEM-1024 X25519 ML-DSA-87 AES-256-GCM BLAKE3

Control Plane & Gateways

Management platform APIs, the management portal, provisioning and enrolment services, authentication and authorisation endpoints, and the multi-vendor gateway fabric (AWS and Vultr).

Client Applications

The macOS, iOS, Linux, Windows, and Android clients, the developer SDK, and CLI tooling distributed by AegisWire.

Clients macOS iOS Linux Windows Android

Marketing Website

The aegiswire.com marketing website, including forms, static assets, signed update distribution, and any server-side functionality.

Found something that doesn’t fit a category above? Report it anyway — if it affects the confidentiality, integrity, or availability of AegisWire or its customers, we want to hear about it.

Reporting

How to report

Email

security@aegiswire.com

If your report contains sensitive details, indicate so in the subject line and we will establish an encrypted channel before you share specifics.

What to include in your report

  • 1 Description — A clear description of the vulnerability, including which asset is affected and the type of issue (e.g., XSS, injection, authentication bypass, cryptographic weakness, protocol downgrade).
  • 2 Reproduction Steps — Detailed steps to reproduce the issue, including any tools, scripts, or configurations used. The more specific, the faster we can triage.
  • 3 Impact Assessment — Your assessment of the potential impact: what data is at risk, what actions an attacker could take, and the conditions required for exploitation.
  • 4 Environment — The environment where you observed the issue: software version, operating system, client platform, network conditions, or deployment model (SaaS, dedicated, self-hosted) if relevant.

Good-faith research

Safe harbour

Our commitment

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they comply with this policy. We consider good-faith security research to be authorised activity.

If a third party initiates legal action against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy.

What we ask

No Denial of Service

Do not perform actions that could degrade service availability for other users. Volumetric testing, resource exhaustion, or intentional service disruption are out of scope.

No Data Destruction

Do not modify, delete, or exfiltrate data belonging to other users. If you accidentally access another user’s data, stop immediately, report it, and do not retain copies.

No Accessing Other Users’ Data

Do not intentionally access, view, or download data that does not belong to you. Use only accounts you own or have explicit permission to test.

Report Before Disclosure

Allow us reasonable time to investigate and remediate before public disclosure. We will work with you on an appropriate timeline and keep you informed of our progress.

What to expect

Our response

When you report a vulnerability, here is what we commit to:

48h

Acknowledgement

We will acknowledge receipt of your report within 48 hours. You will receive a confirmation that your report has been received and assigned for review.

5d

Triage

Within 5 business days, we will assess severity, confirm validity, and provide an initial response. We may ask clarifying questions to help us reproduce and understand the issue.

Ongoing Communication

We will keep you informed as we work on the fix. If remediation takes longer than expected, we will provide status updates. We believe researchers deserve transparency.

Credit

With your permission, we will publicly credit you for your discovery once the vulnerability has been remediated. We respect your preference for anonymity if you prefer it.

A note on bug bounties

AegisWire operates coordinated disclosure with researcher credit rather than a paid public bounty programme.

In the meantime, we credit every contribution, engage with your findings seriously, and treat every valid report as a priority. We genuinely value the work of security researchers.

Security posture

Built for the controls these audits examine

Coordinated disclosure is one part of a fail-closed posture. AegisWire’s engineering, change-control, and traceability practices are built to the controls examined under SOC 2, ISO 27001, GDPR, and HIPAA-style review.

Commissioned on customer scope CNSA 2.0 · NCSC