Vulnerability Disclosure Policy

We value the security research community and welcome responsible disclosure of vulnerabilities in Ataraxia GRC.

How to Report

Email security@ataraxiagrc.com with:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Your contact information (optional but helpful for follow-up)

What We Ask

• Give us reasonable time to address the issue before public disclosure (90 days)
• Do not access, modify, or delete other users' data
• Do not perform denial-of-service attacks
• Do not use automated scanning tools that generate excessive traffic
• Do not social engineer our employees or customers

What We Commit To

• Acknowledge receipt within 48 hours
• Provide an initial assessment within 7 business days
• Keep you informed of remediation progress
• Credit you in our security acknowledgments (with your permission)
• Not pursue legal action against researchers acting in good faith

Scope

In scope

• ataraxiagrc.com and all subdomains
• Ataraxia GRC application (app.ataraxiagrc.com)
• API endpoints

Out of scope

• Third-party services (Supabase, Stripe, Vercel)
• Social engineering attacks
• Physical security
• Denial of service attacks

We do not currently offer a monetary bug bounty program, but we recognize and appreciate responsible disclosure.