Report a Security Issue
We welcome good-faith reports about vulnerabilities affecting Arcitix-owned systems.
Scope
Report vulnerabilities in Arcitix-owned public web properties and systems. Do not test third-party client environments, social engineering, physical attacks, denial of service, or spam.
Rules
Use minimal testing, avoid data access beyond what is necessary to prove impact, do not disrupt services, and give us reasonable time to investigate before disclosure.
Submit
Email a clear report, affected URL, reproduction steps, impact, and your contact details to security@arcitix.com. For sensitive reports, ask us for a PGP key to encrypt your submission.
Our Commitment (SLA)
We aim to acknowledge reports within 3 business days, provide a triage assessment within 10 business days, and keep you updated through to resolution. We will credit reporters who wish to be named once an issue is fixed.
Safe Harbor
We will not pursue or support legal action against you for good-faith security research that follows this policy — including accessing only the minimum data necessary to demonstrate a vulnerability, and giving us reasonable time to remediate before public disclosure. We consider such research authorized under applicable anti-hacking laws and will work with you, not against you. If legal action is initiated by a third party against you for activity conducted under this policy, we will make this authorization known.
Recognition
We currently offer recognition (a public thank-you, with your consent) rather than monetary bounties. This may change; any bounty program will be announced here.