Vulnerability Disclosure Policy

1. Purpose

The purpose of this Policy is to:

• Encourage responsible disclosure of security vulnerabilities
• Provide a clear reporting channel
• Enable timely investigation and remediation
• Protect users, systems, and data

2. Scope

This Policy applies to vulnerabilities discovered in:

• Public-facing web applications and APIs operated by the Company
• Hosted SaaS platforms and related infrastructure
• Authentication, access control, and session management systems
• AI-enabled systems and associated service endpoints

This Policy does not apply to third-party systems not owned or controlled by the Company.

3. Authorized Testing

Security research under this Policy is limited to:

• Testing against systems owned or operated by the Company
• Non-destructive testing methods
• Activities that do not degrade service availability or integrity

The following activities are not authorized:

• Denial-of-service (DoS/DDoS) testing
• Automated scanning that materially impacts system performance
• Social engineering, phishing, or physical attacks
• Accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate a vulnerability
• Persistence within systems after a vulnerability has been identified

4. Safe Harbor

The Company will not pursue legal action against individuals who:

• Act in good faith to identify and report vulnerabilities
• Follow the guidelines outlined in this Policy
• Do not exploit vulnerabilities beyond what is necessary for proof of concept
• Do not disclose vulnerabilities publicly prior to remediation

This safe harbor applies only to activities conducted within the scope of this Policy and in compliance with applicable law.

5. Reporting a Vulnerability

Vulnerabilities should be reported to:

security@noirstack.com

Reports should include, where possible:

• Description of the vulnerability
• Steps to reproduce the issue
• Affected systems or endpoints
• Proof-of-concept or supporting evidence
• Potential impact assessment

Providing clear and complete information will facilitate faster remediation.

6. Company Response Process

Upon receipt of a valid report, the Company will:

• Acknowledge receipt within a reasonable timeframe
• Assess and validate the reported vulnerability
• Prioritize remediation based on severity and impact
• Implement corrective measures as appropriate

The Company may request additional information to support investigation.

7. Disclosure and Coordination

The Company requests that researchers:

• Refrain from public disclosure until the issue is resolved or coordinated disclosure is agreed
• Allow reasonable time for remediation

The Company may coordinate public disclosure where appropriate.

8. No Compensation

The Company does not currently operate a bug bounty program and does not guarantee monetary compensation for reported vulnerabilities.

Recognition may be provided at the Company's discretion.

9. Limitations

This Policy does not grant authorization to:

• Access data belonging to other users or tenants
• Circumvent authentication or authorization controls beyond minimal proof-of-concept
• Violate applicable laws, including those of the Commonwealth of Virginia and the United States

Any activity outside the scope of this Policy may be subject to investigation and legal action.

10. Relationship to Other Policies

This Policy supplements and should be read in conjunction with:

• Security Policy
• Acceptable Use Policy
• Terms and Conditions

In the event of conflict, the Terms and Conditions govern.

11. Changes to This Policy

The Company may update this Policy at any time.

Material changes will be reflected by updating the "Last Updated" date.

12. Contact

Security reports and related inquiries:

security@noirstack.com

Noir Stack LLC · Commonwealth of Virginia