Coordinated disclosure policy.
Aegis Mesh is pre-incorporation. Until the entity “AegisMesh” is registered, the security contact is Akash Shaw (founder). We welcome coordinated disclosure of security issues affecting aegismesh.dev or any pre-release Aegis Mesh component.
How to report
Send an email to security@aegismesh.dev (preferred) or hello@aegismesh.dev. Please include reproduction steps, affected URLs or components, and an estimate of impact. A PGP key is available on request.
What you can expect
- Acknowledgement within 2 business days of your initial report.
- A triage assessment within 5 business days, including severity and proposed timeline.
- Status updates at meaningful milestones until the issue is resolved.
- Public credit at your discretion (on this page) once a fix is shipped.
Scope
aegismesh.devand its subdomains.- Any Aegis Mesh source artefact, container image, or binary distributed to a design partner.
Out of scope: third-party services we use (Netlify, Google Fonts, Cloudflare); volumetric or denial-of-service testing; social-engineering of the founder; physical attacks.
Safe-harbour
If you act in good faith, follow this policy, avoid privacy violations, destruction of data, and disruption of service, and give us a reasonable time to remediate before any public disclosure, we will not pursue legal action against you for your research.
No paid bug bounty
We do not currently run a paid bounty programme. We will, however, gladly credit you publicly and provide a written reference letter on request.
Forward-looking notice
This policy will be re-issued post-incorporation under AegisMesh. Open reports remain in scope across the transition.