Redvia AegisCore Responsible Disclosure Policy Product: Redvia AegisCore Current supported release: v1.5.19 Security contact: security@redviasystems.com Policy status: Self-hosted Responsible Disclosure package before external VDP publication Report suspected vulnerabilities to security@redviasystems.com. Do not open public GitHub issues for vulnerabilities. Current in-scope areas: - AegisCore backend API - Authentication, sessions, MFA, SSO, RBAC, and tenant isolation - Red Team scope enforcement, approval gates, and kill-switch controls - Blue Team ingestion, detection, and incident correlation paths - SOAR connectors and playbook execution controls - Evidence pipeline, hash chain, signing, and export verification - Release manifest, release signature sidecar, installer metadata, and update trust - Frontend operator UI security issues with backend impact - Desktop wrapper security where it affects installer/update trust or operator safety - Docker Compose deployment configuration shipped by Redvia - Official AegisCore documentation where it can cause a concrete security failure Currently out of scope unless explicitly listed in a future VDP: - GrowthOps Engine / AegisCore MarketOps - The production license server - Redvia internal infrastructure - Employee devices, email accounts, social media accounts, and non-product systems - Third-party services, SaaS providers, and infrastructure not operated by Redvia - Social engineering - Physical attacks - Spam, phishing, or credential harvesting - Denial-of-service or stress testing against production systems - Automated high-volume scanning of production infrastructure - Vulnerabilities in third-party dependencies unless directly exploitable in AegisCore Safe harbor applies to good-faith research that stays within scope, avoids harm, avoids data access beyond the researcher's own accounts, and is reported promptly. Response targets: - Acknowledgment: 48 hours - Initial triage: 5 business days - Status update: every 10 business days for accepted reports - Critical remediation target: 7 business days where practical - High remediation target: 30 days where practical - Coordinated disclosure: normally up to 90 days PGP: A public PGP key is not advertised until generated and published.