Programme scope
What you can test. What's off limits.
If an asset is listed here as in-scope, our safe-harbour applies to good-faith research against it. If not — talk to us before touching anything.
In scope
Authorised research targets.
| Asset | Type | Tier |
|---|---|---|
| aevrix.group and subdomains | Corporate site | Tier 1 |
| aevrix.dev and subdomains | Product surface | Tier 1 |
| aevrix.org and subdomains | Trust surface | Tier 2 |
| axionchat.chat and subdomains | Messaging service | Tier 1 |
| Axion mobile and desktop clients (latest released build) | Client | Tier 1 |
| Aevrix Studio rule packs (when downloaded under your own licence) | Static artefact | Tier 2 |
| Public APIs and OpenAPI specifications we publish | API | Tier 1 |
| Public source on github.com/aevrix-group | Source | Tier 2 |
Tier 1 = full safe-harbour, highest response priority. Tier 2 = full safe-harbour, may have longer SLAs for low-severity findings.
Out of scope
Do not test these.
- Vendor surfaces we do not own: Cloudflare, Lemon Squeezy, Google Workspace, Migadu, GitHub. Report to the vendor directly.
- Third-party libraries we depend on (npm, PyPI, crates.io) unless the finding is in our specific use of them.
- Customer data, employee mailboxes, founder accounts. Never. Stop if you accidentally land there.
- Marketing assets: stock photography, video, copy. We don't accept reports about typos or layout quirks here — open a regular issue.
- Social media accounts are out of scope; report account takeover concerns to the platform.
- Status pages and uptime monitors (status.aevrix.dev, etc.) — these are vendor-hosted and out of programme scope.
Severity examples
How we triage.
| Severity | Example | Target fix |
|---|---|---|
| Critical | Unauthenticated RCE on production server, full account takeover with single user interaction, mass PII exfiltration. | ≤ 14 days |
| High | Authenticated SQL injection, IDOR exposing other accounts, persistent XSS on authenticated surface, secret in public repo. | ≤ 30 days |
| Medium | Self-XSS exploitable in chained context, missing security header on sensitive endpoint, weak password policy bypass, sensitive data in logs. | ≤ 90 days |
| Low | Information disclosure with no direct exploit, missing best-practice control without active risk, CSRF on idempotent action. | ≤ 90 days or risk-accepted |
Out of scope by class
Reports we won't accept.
- Missing security headers on static-only marketing pages with no authenticated state.
- Self-XSS without a credible chain to another user.
- CSRF on endpoints that have no state change or no security impact.
- Vulnerabilities in third-party software where we use it at default configuration and there is no working PoC.
- "Best practice" findings from automated scanners with no demonstrated impact.
- SPF / DKIM / DMARC complaints — our mail policy is documented and intentional.
- Clickjacking on pages with no sensitive actions.
- Open redirects with no demonstrated chain to credential or token theft.