Responsible Disclosure Policy

1. Our Commitment

ColdAI LLC takes the security of our systems, user data, and AI infrastructure seriously. We welcome and encourage responsible disclosure of security vulnerabilities from researchers, users, and the broader security community. We commit to working collaboratively and transparently with those who report issues in good faith.

2. Scope

2.1 In Scope

We are interested in reports covering:

• Authentication and authorization flaws (e.g., broken access control, privilege escalation).
• Data exposure vulnerabilities (e.g., PII leakage, API key exposure, insecure data storage).
• Injection vulnerabilities (SQL injection, command injection, prompt injection with data exfiltration impact).
• Security misconfigurations in production systems.
• AI-specific vulnerabilities (e.g., training data extraction, model inversion, adversarial attacks that bypass safety filters).
• Cryptographic weaknesses in our implementation.
• Third-party dependency vulnerabilities with direct exploitation paths in our systems.

2.2 Out of Scope

The following are explicitly out of scope:

• Volumetric denial-of-service attacks.
• Social engineering of ColdAI employees.
• Physical security attacks.
• Vulnerabilities in third-party services we do not control.
• Reports based on outdated software versions not in our production environment.
• Theoretical vulnerabilities without demonstrated exploitation potential.
• Scanner output without manual validation.

3. How to Report

Submit vulnerability reports to: shayan@coldai.org

Use the subject line: [SECURITY] Vulnerability Report — [Brief Description]

Your report should include:

• A clear description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions, including any tools, scripts, or payloads used.
• Screenshots, videos, or proof-of-concept code demonstrating the issue.
• The systems, endpoints, or components affected.
• Your assessment of severity (Critical / High / Medium / Low) and rationale.
• Your contact details for follow-up.

For highly sensitive vulnerabilities, you may request our PGP public key for encrypted communication.

4. Our Response Process

• Acknowledgement: We will acknowledge receipt of your report within 2 business days.
• Triage: Within 5 business days, we will provide an initial severity assessment and confirm whether the issue is in scope.
• Resolution: We target remediation of Critical vulnerabilities within 7 days, High within 30 days, and Medium/Low within 90 days, depending on complexity.
• Updates: We will keep you informed of progress at meaningful milestones.
• Disclosure Coordination: We will work with you on coordinated disclosure timing. We request a minimum 90-day embargo period before public disclosure to allow adequate remediation time.

5. Safe Harbor

We consider good-faith security research conducted in accordance with this policy to be authorized. ColdAI will not pursue legal action against researchers who:

• Operate within the defined scope and follow this policy.
• Avoid accessing, modifying, or deleting data belonging to other users.
• Do not disrupt production services or degrade user experience.
• Do not exfiltrate more data than necessary to demonstrate the vulnerability.
• Report findings to us before public disclosure.
• Do not engage in extortion or demand payment as a condition of reporting.

6. Recognition

We genuinely appreciate the work of security researchers. While we do not operate a formal bug bounty program at this time, we are committed to:

• Public acknowledgement in our security hall of fame (with your permission).
• A written letter of recognition upon request.
• Consideration of discretionary rewards for exceptional Critical findings at our sole discretion.

We reserve the right to update our recognition program at any time.

7. Policy Updates

This policy may be updated periodically. Material changes will be published on this page with an updated effective date.

8. Contact

Security team contact:
ColdAI LLC
shayan@coldai.org