Security
Responsible Disclosure
Last updated: January 1, 2026
We welcome security researchers helping us keep AuraSpear and our customers safe. This page explains how to report a vulnerability in good faith, what is in scope, and what protections we extend to researchers acting in accordance with this policy.
How to report
- Email security@auraspear.com with a clear description, reproduction steps, and impact.
- PGP key:
[PGP FINGERPRINT TO BE PUBLISHED] - We acknowledge reports within 2 business days and aim for an initial triage within 5 business days.
Scope
- In scope: auraspear.com, *.auraspear.com, and published versions of our products under your own tenant.
- Out of scope: third-party services, DDoS or volumetric tests, social engineering of staff, physical attacks, and findings already documented as accepted risks.
Safe harbor
We will not pursue legal action against researchers who act in good faith and follow this policy: avoid privacy violations, do not destroy data, give us reasonable time to remediate, and do not publicly disclose details before we've addressed the issue.
Recognition
With your permission, we list researchers who report valid issues in our security acknowledgements. Bounty payments are not guaranteed; we may, at our discretion, reward exceptional findings.