ARCTICCODEX

Vulnerability Disclosure

We welcome responsible disclosure. Do not test production tenants without written approval.

How to Report

  • Email security@arcticcodex.com with steps to reproduce, impact, and affected endpoints.
  • Include request/response samples, timestamps, and headers where possible.
  • Avoid accessing other customers’ data. Use your own tenant or request a sandbox.

Response Targets

We aim to acknowledge within 24 hours and provide status within 3 business days.

Out of Scope

  • Denial of service without data risk
  • Rate-limit or brute-force findings without proof of bypass
  • SPF/DMARC/DKIM configuration requests
  • Use of automated scanners without coordinated timing

Safe Harbor

If you follow these guidelines and act in good faith, we will not pursue legal action for your research.