Coordinated disclosure policy.
We welcome the coordinated disclosure of security issues affecting aegismesh.dev or any pre-release AegisMesh component. If you've found something, we want to hear from you — and we'll work with you to get it fixed.
aegismesh.dev and any pre-release AegisMesh component shared with a design partner.How to report
Send an email to security@aegismesh.dev (preferred), or to hello@aegismesh.dev. Please include reproduction steps, the affected URLs or components, and an estimate of the impact. A PGP key is available on request for encrypted reports.
What you can expect from us
- Acknowledgement within 2 business days of your initial report.
- A triage assessment within 5 business days, including a severity rating and a proposed timeline.
- High and critical issues fixed within 30 days of triage wherever possible; we'll keep you informed if a fix needs longer.
- Status updates at meaningful milestones until the issue is resolved.
- Public credit, at your discretion, on this page once a fix has shipped.
Scope
aegismesh.devand its subdomains.- Any AegisMesh source artefact, container image, or binary distributed to a design partner.
Out of scope: third-party services we rely on (for example our hosting provider, font provider, and CDN); volumetric or denial-of-service testing; social engineering of the founder or team; and physical attacks.
Safe harbour
If you act in good faith, follow this policy, avoid privacy violations, the destruction of data, and disruption of service, and give us a reasonable time to remediate before any public disclosure, we will not pursue legal action against you for your research. We consider good-faith security research authorised under this policy.
No paid bug bounty
We do not currently run a paid bounty programme. We will, however, gladly credit you publicly and provide a written reference letter on request.
Forward-looking notice
This policy will be re-issued after incorporation under AegisMesh. Open reports remain in scope across the transition.