Ayliea — AI Security Assessment & Compliance Consulting

Security

Coordinated Disclosure Policy

Last updated:

Ayliea welcomes security researchers who help us protect our customers. This policy describes how to report a vulnerability and what you can expect from us in return. Machine-readable contact information is published at /.well-known/security.txt per RFC 9116.

Reporting a vulnerability

Email security@ayliea.com with:

  • A clear description of the issue
  • Steps to reproduce, proof-of-concept, or other supporting evidence
  • The impact you believe it has (data exposure, integrity loss, availability impact)
  • The affected URL or component

If your report contains sensitive details, request our PGP public key by emailing security@ayliea.com and we will send it before you submit the body of the report.

What we commit

  • Acknowledgment within one business day of your report
  • Status updates as we triage, validate, and remediate
  • Public credit in a researcher acknowledgements list, with your permission, once the issue is resolved (we publish entries when we have valid reports to recognize)
  • Safe harbor — we will not initiate legal action against good-faith security research conducted in compliance with this policy (see below)

We do not currently offer monetary bug bounties.

In scope

  • ayliea.com — the marketing site
  • assess.ayliea.com — the Ayliea Assess application

Out of scope

The following are out of scope for this program. Reports against these will be acknowledged but are not eligible for credit:

  • admin.ayliea.com — protected by Cloudflare Access and reserved for Ayliea staff. Do not test for access bypass; circumventing access controls is exactly what we need researchers not to do.
  • Test accounts other than your own — use your own account to demonstrate issues.
  • Sub-processor systems — vulnerabilities in Vercel, Supabase, Anthropic, Stripe, Resend, or other vendors named in our DPA Annex III. Report those upstream to the vendor.
  • Social engineering of Ayliea staff, contractors, or customers.
  • Physical security of our office or our staff's homes.
  • Denial-of-service, volumetric, or rate-limit testing that degrades service availability for other users.
  • Third-party software we use without modification (npm packages, browser extensions, OS-level libraries). Report those upstream to the maintainer.

What we ask of you

Safe-harbor protection (below) requires that you:

  • Do not access, modify, or delete data belonging to other users. Use only your own account.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate (we aim for 90 days from acknowledgment; we will tell you sooner if a shorter coordinated-release window makes sense).
  • Do not degrade service availability for other users.
  • Do not retain customer data that you incidentally accessed during research. Report what you saw, then delete it.

Safe harbor

Ayliea will not initiate legal action against you for security research conducted in good faith and in compliance with this policy. We will work with you in good faith to understand and resolve the issue. If a third party (such as a sub-processor or law enforcement) initiates action against you for activity that complied with this policy, we will make reasonable efforts to clarify your good-faith involvement.

This policy does not authorize action by you against any party other than Ayliea.

Updates to this policy

This policy may be updated. The most recent version is published at this URL. Material changes are noted in our changelog.

Questions about this policy? Email security@ayliea.com.