Report it. Get a real response. Stay protected.
This policy applies to the entire Aevrix Group attack surface. Read it before you start testing. If you act in good faith and stay within these rules, we will not pursue legal action.
You are protected if you stay in scope.
We treat good-faith security research as authorised conduct under Article 1, Section 6.A. of the U.S. Computer Fraud and Abuse Act 1986 framework, the UK Computer Misuse Act 1990, and Articles 271 / 273 of the Azerbaijani Criminal Code (computer offences). We will not initiate legal action against you, request prosecution, or seek civil damages, provided you stay within the rules of engagement below.
What you can do.
- Test our public-facing web surfaces (see /scope/ for the canonical list).
- Test the desktop and mobile clients we publish, in your own test accounts.
- Test API endpoints we expose publicly, with your own credentials, at a reasonable rate.
- Inspect source code or public artefacts (releases, container images, public buckets) we ourselves publish.
- Report findings privately to security@aevrix.org before any public disclosure.
The hard lines.
- Do not access, modify, or exfiltrate data belonging to other users. If you accidentally land on real user data, stop and report it.
- Do not run automated scanners against production without rate limits. Stay under 5 requests / second per host.
- Do not attempt DDoS, volumetric flooding, or capacity exhaustion.
- Do not engage in social engineering, phishing, or physical intrusion against Aevrix staff, contractors, or vendors.
- Do not publicly disclose before we have shipped a fix or before the timelines in this policy have elapsed.
- Do not use findings to extort. Disclosure-for-payment threats are not in good faith and immediately void safe harbour.
Our response SLAs.
| Stage | Target SLA | What you will receive |
|---|---|---|
| First reply | ≤ 2 business days | Acknowledgement that we received your report and assigned a tracking ID. |
| Triage decision | ≤ 5 business days | Severity assessment (Critical / High / Medium / Low / Out-of-scope) with reasoning. |
| Remediation plan | ≤ 10 business days | Concrete fix plan with a target ship date. |
| Critical fix shipped | ≤ 14 days | Patch in production. CVE assigned if applicable. |
| High fix shipped | ≤ 30 days | Patch in production. |
| Medium / Low fix shipped | ≤ 90 days | Patch in production or scheduled with risk acceptance. |
| Public credit | On request after fix | Entry in /hall-of-fame/ with your handle and the bug class. No exact technical detail without your consent. |
SLAs are targets, not contracts. We will keep you informed if a complex fix needs longer and we will explain why.
When you can go public.
By default, you may publish details 90 days after first acknowledgement, or 30 days after a fix ships to production — whichever comes first. We will work with you to coordinate a release date and exchange final write-ups before publication. Active in-the-wild exploitation accelerates this — talk to us directly.
No paid bounty programme — yet.
Aevrix Group does not currently operate a paid bug-bounty programme. We do offer: public credit in our Hall of Fame, a written reference letter on request, and merchandise where shipping permits. When we are large enough to run a paid programme responsibly, we will announce it here first.
One channel. One inbox. Real humans.
Primary channel
Email security findings here. Use PGP for sensitive payloads — fingerprint at /pgp/.
security@aevrix.org →What to include
Affected asset, reproduction steps, impact, your handle for credit, and any proof-of-concept you are comfortable sharing.
In-scope assets →Found a bug?
Send it before going public. We respond within two business days.