Vulnerability Disclosure Policy

Version 1.0

Introduction

Aurora Networks PKI Center™ is committed to protect the security of our systems, services, and users. We appreciate the contributions from good-faith security research by the cybersecurity community. If, as a result of your good-faith research on the security of our systems and services, you discover a vulnerability, we encourage you to report it to us responsibly so we can quickly investigate, validate, and remediate the issue. This policy describes the systems and testing activities covered by the policy, how to submit vulnerability reports, what conduct we consider authorized, and how we will coordinate with you.

Scope

This policy applies to the internet-facing systems, applications, APIs, and services owned or operated by Aurora Networks PKI Center under the pkiworks.com domain, including authorized subdomains that are expressly identified by Aurora Networks PKI Center as in scope.

Any system, service, domain, or third-party platform not expressly covered by this scope is out of scope, including but not limited to third-party services, systems not owned or operated by Aurora Networks PKI Center, the physical security of our offices, and non-public or internal systems, employee workstations, corporate networks, customer environments, and any system for which you do not have explicit authorization to test.

If you are uncertain whether a system or a service is in scope, please contact us before beginning testing. Testing outside the stated scope is not authorized by this policy.

Guidelines for Researches

To ensure the safety of our systems, services, and users, we ask that you conduct research only in good faith and:

  • Notify us immediately upon discovering a real or potential security issue.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent, periodic or on-demand command-line access, or use the exploit to pivot to other systems.
  • Make every effort to avoid privacy violations, data loss, and degradation or interruption of our services.
  • Do not access or modify anything in our systems that does not belong to you.
  • Do not retain, store, copy, transfer, or share any data accessed during testing, except for the minimum evidence necessary to submit a vulnerability report.
  • Do not perform denial of service (DoS) testing, automated or large-volume scanning, credential stuffing or brute-force attacks, physical testing, social engineering, phishing, spam, malware deployment, or any other tests that impair access to or damage a system or data.
  • Do not perform any test involving any third-party systems without authorization.
  • Do not publicly disclose vulnerabilities until we have had a reasonable amount of time to investigate and remediate the issue. We will work with you to agree on a coordinated disclosure timeline and ask that you provide us with at least 90 days before public disclosure, unless we agree otherwise in writing.
  • Do not submit a high volume of low-quality reports, reports generated solely by automated tools without validation, or reports that do not demonstrate a security impact.

Reports involving speculative issues, missing security headers without demonstrated impact, version disclosures without exploitability, or previously known issues may be closed without further action.

Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. You must also promptly delete any sensitive data in your possession after submitting the report unless we instruct otherwise in writing.

How to Report a Vulnerability

Please submit your vulnerability reports to incident-report@pkiworks.com. Reports may be submitted anonymously. For particularly sensitive information, please contact us at the same email address before sending your report to arrange a secure way to deliver your report.

To help us triage and prioritize submissions, we recommend that your report include enough information for us to reproduce, validate, and assess the issue and:

  • Describe where the vulnerability was discovered, including the affected URL, endpoint, product, version, account type, or configuration, if known, and the potential impact of exploitation.
  • Describe in detail the steps needed to reproduce the vulnerability, including any tools, payloads, test accounts, timestamps, logs, screenshots, or proof-of-concept materials (proof of concept scripts or screenshots are helpful).
  • Identify whether you believe the vulnerability is being actively exploited or presents an immediate risk.
  • Communicate in English, if possible.

Our Commitment to You

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible, subject to legal, security, confidentiality, and business constraints.

  • Within 3 business days, we will acknowledge that your report has been received.
  • Within 10 business days, we will seek to provide an initial triage response, which may include a request for more information, a determination that the report is out of scope, or confirmation that we are investigating further.
  • To the best of our ability, we will work with you to understand the reported issue and to confirm the existence of the vulnerability to you. We will be as transparent as possible about what steps we are taking during the remediation process, including any issues or challenges that may delay resolution.
  • We will prioritize vulnerabilities based on their potential impact, exploitability, and risk to our systems and users, and we may remediate issues through code changes, configuration changes, compensating controls, documentation updates, or other appropriate measures.
  • We will maintain an open dialogue to discuss issues.
  • We will keep your personal information confidential and not share it without your permission.
  • We may not provide detailed status updates or disclose remediation details where doing so could increase risk to our systems, users, customers, or third parties.

Safe Harbor

If you act in good faith, stay within the scope, avoid harm, and comply with this policy, we will not initiate legal action or law enforcement investigation against you for the security research activities authorized by this policy. This commitment does not apply to activity that is malicious, fraudulent, extortionate, destructive, privacy-invasive, outside the stated scope, or otherwise unlawful, and it does not bind third parties.

No Compensation / Bug Bounty

This policy does not establish a financial bug bounty program. Aurora Networks PKI Center does not offer cash rewards, gifts, or financial compensation for vulnerability reports. By submitting a vulnerability report, you acknowledge that you have no expectation of receiving any form of financial compensation. Based on our assessment of the good-faith nature of your actions and at our sole discretion, we may provide a written acknowledgment of your contribution to a mutually agreed audience, provided that any acknowledgment does not disclose confidential, proprietary, customer, or security-sensitive information.

Chat