Vulnerability Disclosure Policy

Our Commitment
Scope
How to Report
What to Expect
Safe Harbor
Exclusions
Recognition

1. Our Commitment

AI Security Intelligence takes the security of our platform, data, and services seriously. As an organization whose purpose is to evaluate and advance AI security standards globally, we hold ourselves to the same rigorous expectations we apply to the organizations we rate.

We welcome and appreciate responsible disclosure from security researchers, industry peers, and the broader community. Identifying vulnerabilities before they can be exploited is a collaborative effort, and we are committed to working constructively with anyone who brings findings to us in good faith. Our team responds promptly, communicates transparently, and ensures that contributions to our security are acknowledged and protected.

2. Scope

The following systems are in scope for this policy:

aisecurityintelligence.com and all subdomains
ASI API endpoints — all public and authenticated API surfaces
ASI data pipelines and scoring infrastructure — including our CES engine and incident classification systems
Client-facing portals and assessment tools — including the AIRS Insurance Scoring Calculator and intelligence dashboards

If you are unsure whether a particular system or finding falls within scope, contact us at security@aisecurityintelligence.com before proceeding. Our team will advise promptly.

3. How to Report

If you discover a vulnerability, please report it directly to our security team:

Security Disclosures

security@aisecurityintelligence.com

Our security team monitors this address continuously.

To help our team triage and respond effectively, please include the following in your report:

Description of the vulnerability — a clear, concise explanation of the issue, including the type of vulnerability (e.g., injection, authentication bypass, privilege escalation)
Steps to reproduce — a precise, step-by-step reproduction path that allows our team to confirm and validate the finding
Potential impact assessment — your assessment of what data or systems could be affected if the vulnerability were exploited
Supporting evidence — screenshots, logs, proof-of-concept code, or any other materials that substantiate the report

Reports with clear reproduction steps receive faster responses. Encrypted submissions are welcome; please request our PGP key if you require a secure channel for sensitive findings.

4. What to Expect

Our team is committed to timely, transparent communication throughout the disclosure process. Here is what you can expect after submitting a report:

Within 48 hours

Acknowledgment

Our security team will acknowledge receipt of your report and assign it a tracking reference. We will confirm that we have received all the details we need or request clarification if anything is unclear.

Within 5 business days

Initial Assessment

Our team will complete an initial triage and communicate our preliminary assessment — including severity classification, confirmation of in-scope status, and an initial estimate of remediation timeline.

Ongoing

Regular Updates

We will provide regular updates on remediation progress. For complex or high-severity findings, we will schedule dedicated check-ins to keep you informed at each material stage.

Upon resolution

Confirmation & Recognition

When a valid finding is remediated, we will notify you and, with your permission, recognize your contribution in our security acknowledgments.

5. Safe Harbor

AI Security Intelligence will not pursue legal action against researchers who conduct security research and disclosure in accordance with this policy. We consider responsible disclosure to be a valuable contribution to our security posture and to the broader AI security community.

Safe harbor protections apply to researchers who:

Act in good faith and within the scope defined in this policy
Do not access, modify, exfiltrate, or delete data belonging to other users or to AI Security Intelligence systems beyond what is minimally necessary to demonstrate the vulnerability
Do not disrupt our services or degrade the experience of other users during the course of research
Report findings privately to our security team before any public disclosure or disclosure to third parties
Allow reasonable time for remediation before publishing — we ask for a minimum of 90 days from confirmed receipt, or longer by mutual agreement for complex vulnerabilities

If you are unsure whether a specific action during your research would fall within safe harbor, contact us before proceeding. We would rather answer a question than have a researcher inadvertently cross a line that puts either party in a difficult position.

6. Exclusions

The following are outside the scope of this policy and will not be treated as valid vulnerability reports under safe harbor protections:

Social engineering attacks against ASI personnel, including phishing attempts targeting our team
Physical security testing of any ASI facilities or personnel
Denial of service attacks or any testing that intentionally degrades availability of our services
Automated vulnerability scanning without prior coordination with our security team
Findings that require physical access to a user's device to exploit
Vulnerabilities in third-party software or services that ASI uses but does not control, which should be reported directly to those vendors
Publicly known vulnerabilities that have been disclosed and are pending upstream remediation

7. Recognition

We believe in recognizing the contributions of the security research community. Security researchers who identify and responsibly disclose valid vulnerabilities in our systems make the platform more secure for every organization that relies on our data and scores.

With your permission, we will acknowledge your contribution — including your name or handle and a summary of the finding — on our security acknowledgments page. We respect researchers who prefer to remain anonymous and will honor that preference without question.

We do not currently operate a financial bug bounty program. We review this position annually as our platform scales. Researchers who make exceptionally significant contributions may be eligible for other forms of recognition at our discretion — we encourage you to inquire.

Vulnerability Disclosure Policy — Effective March 2026. AI Security Intelligence LLC. For all security disclosures, contact security@aisecurityintelligence.com. See also: Trust Center · Privacy Policy · Scoring Methodology

Contents