Security Research & Responsible Disclosure

Program Status: Active | Last Updated: January 1, 2025

We welcome security researchers to help us maintain the security and privacy of our users.

At Carpathian, we believe that security is a collaborative effort. We appreciate the security research community's efforts to responsibly disclose vulnerabilities and help us improve the security of our services. This program outlines our coordinated vulnerability disclosure process and provides guidance for security researchers.

Scope

This security research program covers the following Carpathian services:

carpathian.ai - Main website and customer portal
API endpoints - All public APIs and authentication systems
Cloud infrastructure services - Client-facing hosting services
Client applications - Web applications and mobile interfaces

Out of Scope

The following are explicitly out of scope for this program:

Physical attacks against Carpathian offices or employees
Social engineering attacks against Carpathian employees
Third-party services not directly operated by Carpathian
Client data or applications hosted on our infrastructure (unless it affects our platform security)
Denial of Service (DoS) attacks
Spam or content injection
Issues that require physical access to a user's device

Safe Harbor

When conducted in accordance with this policy, we consider security research and vulnerability disclosure activities to be "authorized" conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws. We will not initiate or recommend legal action against you for accidental, good faith violations of this policy, provided that you:

Make a good faith effort to avoid privacy violations, destruction of data, and disruption of our services
Contact us immediately if you discover user data and agree to not access, modify, or store this data
Give us reasonable time to investigate and resolve issues before making any information public
Do not perform testing that could degrade the performance of our services or impact our users

Reporting Guidelines

When reporting a vulnerability, please include the following information:

Description: A clear description of the vulnerability and its potential impact
Steps to reproduce: Detailed steps that allow us to reproduce the issue
Proof of concept: Screenshots, videos, or other evidence demonstrating the vulnerability
Affected systems: Which services, URLs, or components are affected
Your assessment: Your assessment of the severity and potential impact

How to Report

Please send vulnerability reports to: info@carpathian.ai

For sensitive reports, you may use our PGP key available at .well-known/security.txt.

Our Commitment

When you submit a vulnerability report, we commit to:

Acknowledge receipt within 2 business days
Provide regular updates on our investigation progress
Work with you to understand and resolve the issue
Keep you informed about our remediation timeline
Credit you for your discovery if you wish (unless you prefer to remain anonymous)

Rewards

While this is primarily a coordinated vulnerability disclosure program, we may offer recognition or rewards at our discretion for high-quality reports that help improve our security posture. Rewards are determined based on:

Severity and impact of the vulnerability
Quality and completeness of the report
Adherence to our disclosure guidelines

Recognition

Security researchers who contribute to our security will be acknowledged in our security acknowledgments page (with your permission) and may receive:

Public recognition for your contribution
Carpathian swag and merchandise
Potential monetary rewards for critical vulnerabilities

Legal

This policy is designed to be compatible with common vulnerability disclosure practices. We reserve the right to modify this policy at any time. If you have questions about this policy, please contact us at info@carpathian.ai.