Legal

Responsible Disclosure Policy

Last updated: June 12, 2026

1. Overview

AuditWard builds security tooling, and we hold ourselves to the same standard we help our customers meet. We welcome reports from security researchers who discover vulnerabilities in our systems and we are committed to working with the community to verify and fix them quickly. This policy describes which systems are in scope, how to report a vulnerability, what you can expect from us, and the legal protections we extend to good-faith research.

2. Scope

The following systems and assets are in scope for security research under this policy:

  • The AuditWard web application and dashboard at app.auditward.com.
  • The AuditWard public APIs at api.auditward.com.
  • The AuditWard marketing website at auditward.com.
  • Other services operated by AuditWard on subdomains of auditward.com.

3. Out of Scope

The following are out of scope. Do not test or attempt to access them:

  • Customer data and customer accounts. If you encounter another user's data during research, stop immediately, do not retain or share it, and include what happened in your report.
  • Customer target applications scanned by AuditWard. These belong to our customers and are not ours to authorize testing against.
  • Third-party services and infrastructure we rely on (payment processors, email providers, hosting providers, analytics). Report issues in those systems to the respective vendor.
  • Physical security of offices, data centers, or personnel.
  • Social engineering of AuditWard staff, contractors, or customers (phishing, vishing, pretexting).
  • Denial-of-service testing, resource exhaustion, or spam.
  • Automated scanning at volumes that degrade service for other users.

4. How to Report a Vulnerability

Email your report to security@auditward.com. Please include:

  • A description of the vulnerability and the affected system, endpoint, or component.
  • Step-by-step instructions to reproduce the issue, including any request/response samples, proof-of-concept code, or screenshots.
  • Your assessment of the impact and any conditions required to exploit it.
  • How you would like to be credited, or whether you prefer to remain anonymous.

Please do not disclose the vulnerability to any third party or the public before we have confirmed a fix and agreed on a disclosure timeline with you. Limit your testing to the minimum necessary to demonstrate the issue — do not pivot deeper into systems, exfiltrate data, or persist access.

5. What to Expect From Us

  • Acknowledgment within 48 hours. We will confirm receipt of your report within two business days.
  • Triage within 5 business days. We will assess severity, confirm whether we can reproduce the issue, and tell you the result.
  • Fix timeline. We aim to remediate critical vulnerabilities within 7 days, high-severity issues within 30 days, and lower-severity issues within 90 days. We will share our estimated timeline and keep you informed of progress.
  • Coordinated disclosure. Once a fix is deployed, we are happy to coordinate public disclosure with you, including a mutually agreed publication date.

6. Recognition and Credits

We do not currently operate a paid bug bounty program, but we are grateful for responsible reports. With your permission, we will publicly credit you (by name, handle, or link of your choice) once the issue is fixed. If you prefer to remain anonymous, we will fully respect that — just tell us in your report.

7. Safe Harbor

We will not pursue legal action against you, initiate a law-enforcement complaint, or suspend your account in response to security research conducted in good faith and in accordance with this policy. Specifically, for activities that comply with this policy, we:

  • Consider your research to be authorized within the meaning of the U.S. Computer Fraud and Abuse Act (CFAA) and equivalent anti-hacking laws in other jurisdictions, and will not bring a claim against you under those laws.
  • Waive any claim under the Digital Millennium Copyright Act (DMCA) and similar anti-circumvention laws for circumventing technological measures, to the extent your circumvention was necessary to conduct the research.
  • Consider your research exempt from restrictions in our Terms of Service that would otherwise prohibit it, for the limited purpose of work performed under this policy.
  • Will state that your actions were authorized if a third party initiates legal action against you for research conducted in compliance with this policy.

This safe harbor applies only to research that stays within the scope defined above, avoids privacy violations and service disruption, and follows the reporting process in good faith. It does not apply to actions taken against systems owned by third parties, including our customers. If you are unsure whether a planned test is covered, ask us at security@auditward.com before proceeding.

8. Contact

Security reports and questions about this policy: security@auditward.com. Our machine-readable security contact information is published at /.well-known/security.txt (RFC 9116).