Security

Responsible Disclosure Policy

We take security seriously. If you discover a vulnerability in AirGap Intelligence, we want to hear from you — and we commit to responding promptly and working with you to resolve it.

How to report a vulnerability

Send your report to security@airgapintelligence.ai. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it.

Please include the following in your report:

  • A clear description of the vulnerability and the potential impact
  • Step-by-step instructions to reproduce the issue
  • The affected component, URL, or endpoint
  • Any proof-of-concept code, screenshots, or supporting material
  • Your suggested severity (if you have one)

What we commit to

  • Acknowledge your report within 2 business days
  • Provide a status update every 5 business days while the issue is under investigation
  • Aim to resolve critical vulnerabilities within 30 days
  • Keep you informed of our progress and notify you when the fix is deployed
  • Credit you in our acknowledgements if you wish (unless you prefer to remain anonymous)

Safe harbour

We will not pursue legal action against researchers who report vulnerabilities in good faith, provided that:

  • You make every effort to avoid privacy violations, data destruction, or service disruption
  • You only interact with accounts you own or have explicit permission to test
  • You do not exfiltrate, modify, or delete data beyond what is necessary to demonstrate the vulnerability
  • You report the vulnerability to us promptly and do not disclose it publicly while we work on a fix

We consider responsible security research a valuable contribution and want researchers to feel safe working with us.

Out of scope

The following are out of scope for this policy:

  • Social engineering attacks targeting AirGap Intelligence employees or customers
  • Physical attacks against our offices or infrastructure
  • Denial-of-service (DoS or DDoS) attacks
  • Automated scanning that generates excessive load on our systems
  • Vulnerabilities in third-party services or libraries that we do not control
  • Reports based solely on theoretical risk with no demonstrated impact

Scope

This policy covers the following:

  • The AirGap Intelligence web application at app.airgapintelligence.ai
  • The AirGap Intelligence API at app.airgapintelligence.ai/api
  • The marketing website at www.airgapintelligence.ai
Report a vulnerability
security@airgapintelligence.ai

PGP key available on request if you need to send sensitive details securely.

Response commitments
Acknowledgement
Within 2 business days
Status updates
Every 5 business days
Critical fixes
Target: 30 days