# ============================================================ # security.txt for ctosblade.com # RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116 # ============================================================ Contact: mailto:security@ctosblade.com Expires: 2027-04-23T23:59:59.000Z Preferred-Languages: en Canonical: https://ctosblade.com/.well-known/security.txt Policy: https://ctosblade.com/.well-known/security.txt # ------------------------------------------------------------ # Scope # ------------------------------------------------------------ # ctOS:BLADE welcomes responsible disclosure of security # vulnerabilities affecting: # # - ctosblade.com and all subdomains # - The ctOS:BLADE platform (SaaS, VPC, and on-prem builds) # - Official ctOS:BLADE API endpoints and integrations # # Out of scope: # - Denial-of-service testing # - Automated scanning that generates excessive load # - Social engineering of ctOS:BLADE staff or customers # - Physical attacks against infrastructure # - Vulnerabilities already reported by others # - Issues in third-party services we do not control # # For vulnerabilities in deployed customer instances, please # coordinate disclosure with the affected customer's security # team in addition to notifying us. # ------------------------------------------------------------ # Response Expectations # ------------------------------------------------------------ # Acknowledgement: within 2 business days # Initial triage: within 5 business days # Status updates: at least every 10 business days until # resolution # Disclosure: coordinated; typical embargo 90 days or # until a fix is broadly deployed, whichever # is sooner # ------------------------------------------------------------ # Safe Harbor # ------------------------------------------------------------ # Good-faith security research conducted in accordance with # this policy will not be pursued as a violation of our terms # of service or applicable law. # # We ask that you: # - Access only data necessary to demonstrate the issue # - Do not modify, exfiltrate, or retain customer data # - Do not intentionally degrade service for other users # - Give us reasonable time to remediate before public # disclosure # # If in doubt about scope or method, contact us before testing. # ------------------------------------------------------------ # Reporting Guidance # ------------------------------------------------------------ # A strong report includes: # - Affected asset, endpoint, or component # - Reproduction steps with minimal payloads # - Observed vs expected behaviour # - Proof of impact (screenshots, request/response pairs) # - Suggested remediation, if any # # Please avoid sharing vulnerability details via public # channels (Twitter/X, GitHub issues, etc.) before resolution.