Axivum · Security

Reporting a vulnerability in AEGIS

If you've found a security issue in AEGIS or any service running on axivum.io, here's how to tell us. We respond to every report.

Contact

Send reports to

security@axivum.io

You can also use the contact form at /contact if you don't want to send email. Mark the message as security-related so it routes correctly.

If you need to encrypt: drop us a line at the address above and we'll exchange a key out-of-band.

Response SLA

Acknowledgement: within 24 hours.
Triage / first reply on impact: within 72 hours.
Patch deployed: depends on severity. Critical issues we aim to ship inside 7 days. Lower severity, within 30.
Public disclosure: we ask for 90 days from first report. Earlier if you and we both agree the patch is widely deployed.

What's in scope

In scope

axivum.io and subdomains
The AEGIS Worker (/api/*)
The dashboard (/dashboard)
Auth flows (login, MFA, password reset, signup)
Multi-tenant isolation bugs
The agentic action system (T0–T3)

Out of scope

Third-party services (Cloudflare, Resend, Groq) — report to them directly
Findings that require physical access
Self-XSS or social-engineering of our own staff
Volumetric DDoS — Cloudflare handles those
SPF/DMARC/DKIM hardening (we know; tracked)
"unsafe-eval" in CSP (known; see ADR 0003)

Safe harbor

We will not pursue legal action against researchers who:

Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
Only test against accounts they own or have explicit permission to test.
Don't publicly disclose before a patch is shipped (or 90 days, whichever is sooner).
Don't use the finding to pivot beyond what's needed to demonstrate impact.

What we don't do (yet)

Cash bug bounties. We're a bootstrapped startup. We can't pay yet. We can offer credit on this page, a written reference for your portfolio, and our genuine thanks.
Hall of fame on the marketing site — coming soon. Until then, ask and we'll list you here.

Recent acknowledgements

None yet — be the first.

Public threat model & ADRs

Our threat model lives in the repo at docs/THREAT_MODEL.md, and our architecture decisions are in docs/adr/. Both are public. If you spot a gap there before you spot a vulnerability, we'd love to hear about it too.