Vulnerability disclosure policy

Effective: 16 May 2026. Applies to AffixIO public properties listed below.

Report security issues: hello@affix-io.com (subject line must start with Security report). Machine-readable contact: /.well-known/security.txt.

1. Purpose

This policy tells security researchers and customers how to report suspected vulnerabilities in AffixIO-controlled systems. We investigate good-faith reports, fix confirmed issues, and coordinate disclosure with reporters when appropriate.

2. Scope (in scope)

The following are in scope for this policy when operated by AffixIO:

Website: https://www.affix-io.com/ and subpaths served from that host (excluding third-party embeds we do not control).
API: https://api.affix-io.com/ including documented /v1 routes, health endpoints, and published OpenAPI surfaces.
Dashboard: https://dashboard.affix-io.com/ customer console and authentication flows.
Sandbox: https://sandbox.api.affix-io.com/ when available for integration testing.

Issues that affect only a reporter's own tenant or test credentials should be described clearly so we can reproduce across environments.

3. Out of scope

The following are generally out of scope unless you can show a concrete impact on AffixIO or other customers:

Denial of service against production without prior written approval (see section 9).
Social engineering, phishing, or physical attacks against staff or facilities.
Spam, clickjacking on pages with no sensitive action, or missing security headers without demonstrated exploit.
Reports from automated scanners with no manual validation, duplicate reports, or issues already known to us.
Vulnerabilities in third-party services (hosting, CDN, analytics) except where AffixIO configuration clearly enables exploit.
Requests for internal architecture diagrams, HSM procedures, prover secrets, circuit constraints, or production credentials.
Weak SSL ciphers on legacy clients when modern TLS is available and correctly configured.
Account issues that require access to another user's account without authorization.

4. How to report

Send email to hello@affix-io.com with subject Security report - [short title]. One issue per email when possible. Encrypt attachments if they contain customer data (contact us for a secure channel if required).

Include in your report

Product and URL or API path affected.
Steps to reproduce, with request and response samples (redact secrets and personal data).
Impact assessment: confidentiality, integrity, availability, or fraud risk.
Your suggested severity and any proof-of-concept code.
Whether you want public acknowledgment (see section 8).

5. Safe harbour

AffixIO will not pursue legal action against researchers who:

Follow this policy in good faith.
Avoid privacy violations, data destruction, and service disruption beyond what is necessary to demonstrate the issue.
Do not access, modify, or exfiltrate data belonging to other customers.
Give us reasonable time to remediate before public disclosure (section 7).

This safe harbour applies only to testing conducted in scope. It does not authorise criminal activity or violation of other organisations' policies.

6. Response targets

Stage	Target
Initial acknowledgement	Within 3 business days for actionable reports
Triage and severity assignment	Within 10 business days when reproduction succeeds
Fix or mitigation plan	Depends on severity; critical issues prioritised
Retest and closure	Coordinated with reporter when contact is maintained

These are targets, not guarantees. Complex issues or holiday periods may extend timelines. We will keep you informed if your report remains open.

7. Severity (internal handling)

We classify issues roughly as follows:

Critical: unauthenticated remote code execution, authentication bypass, or bulk exposure of secrets or personal data.
High: privilege escalation, significant data exposure, or payment or verification bypass with business impact.
Medium: stored or reflected issues with limited scope, or misconfiguration with plausible exploit path.
Low: defense-in-depth improvements, informational findings, or issues requiring unlikely user interaction.

8. Coordinated disclosure

We prefer coordinated disclosure. After we confirm a fix or acceptable mitigation, we may agree on a disclosure date with you. With your permission we may list your name on security acknowledgments.

Please do not publish details until we confirm readiness, except where required by law. If you plan to publish, give us at least 14 days notice after fix deployment unless we agree otherwise.

9. Testing rules

Use test or sandbox credentials where provided. Do not use production customer data in proofs.
Do not run destructive automated scans against production without written approval.
Rate-limit manual testing; stop if you observe service degradation.
Do not attempt to access other tenants' resources.

10. Bug bounty and rewards

AffixIO does not operate a public paid bug bounty programme at this time. We may offer recognition or, for exceptional reports, discuss commercial terms separately. No reward is promised by this policy.

11. Encryption

Email over TLS is our default channel. If you require an alternative secure channel for large or sensitive material, state that in your initial email and we will arrange transfer.

12. Privacy and data handling

Reports may contain personal data. We use report content only to investigate and remediate issues, and retain it only as long as needed for security and legal purposes. See Privacy for general data handling.

13. Related documents

14. Changes

We may update this policy. The effective date at the top will change. Material changes will be reflected in security.txt expiry and canonical URLs.

15. Contact

Security reports: hello@affix-io.com
General contact: https://www.affix-io.com/contact