Vulnerability Disclosure Policy

1. Introduction

PureTensor Inc values the security community and believes that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users. We are committed to working with security researchers who identify vulnerabilities in our systems through coordinated disclosure.

This policy describes how to report vulnerabilities to us, what you can expect from PureTensor in response, and what we expect from you as a researcher. It is based on the CISA Coordinated Vulnerability Disclosure framework.

2. Scope

In Scope

puretensor.ai and all subdomains (including intel.puretensor.ai, cyber.puretensor.ai)
pureclaw.ai
nesdia.com
PureClaw open-source repositories on GitHub (github.com/puretensor)
Any PureTensor-owned infrastructure accessible from the public internet

Out of Scope

Third-party services (Formspree, Google Fonts, Cloudflare CDN, and other externally hosted platforms)
Physical security testing
Social engineering attacks against PureTensor employees or contractors
Denial of service (DoS/DDoS) attacks
Automated scanning that generates excessive traffic or degrades service availability
Testing on systems you do not own or have explicit authorization to test

3. Reporting a Vulnerability

Contact: security@puretensor.ai

If security@puretensor.ai is not yet configured, please use ops@puretensor.ai with "Security Vulnerability Report" in the subject line.

What to Include in Your Report

A clear description of the vulnerability and its potential impact
Step-by-step reproduction instructions sufficient for our team to verify the issue
Affected URLs, parameters, endpoints, or components
Screenshots, screen recordings, or proof-of-concept code (if applicable)
Your assessment of severity (Critical / High / Medium / Low)
Your name and contact information (if you wish to be acknowledged)

Encryption

If you need to encrypt sensitive vulnerability details, please contact us first to request our PGP public key. We recommend encrypting any report that includes working exploit code, credentials, or sensitive data.

4. What We Promise

When you report a vulnerability in accordance with this policy, PureTensor commits to the following:

Acknowledgment: We will acknowledge receipt of your report within 3 business days.
Assessment: We will provide an initial assessment of the reported vulnerability within 10 business days.
Updates: We will keep you informed of our progress at least every 14 days until the issue is resolved.
Resolution: We aim to resolve critical vulnerabilities within 30 days and other vulnerabilities within 90 days of confirmed receipt.
Recognition: With your permission, we will publicly acknowledge your contribution in our security acknowledgments.
No Legal Action: We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy.

5. Safe Harbor

PureTensor Inc considers security research conducted consistent with this policy to be:

Authorized under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
Authorized under the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1201
Exempt from restrictions in our Terms of Service that would otherwise prohibit security research activities
Lawful, helpful to the overall security of the Internet, and conducted in good faith

We will not initiate or support legal action against you for security research conducted in accordance with this policy. If a third party initiates legal action against you for activities conducted in compliance with this policy, we will take steps to make this authorization known.

6. Researcher Obligations

To qualify for safe harbor protection, researchers must adhere to the following guidelines:

Good Faith: Act in good faith at all times. Avoid privacy violations, data destruction, and service disruption.
Minimize Harm: Make every effort to avoid impacting service availability or data integrity. Do not degrade the experience for other users.
Do Not Exfiltrate: Do not access, modify, or exfiltrate data beyond what is minimally necessary to demonstrate the vulnerability. If you encounter personal data, stop testing immediately.
Confidentiality: Do not publicly disclose the vulnerability until PureTensor has had a reasonable opportunity to remediate (minimum 90 days from confirmed receipt), or until we jointly agree on a disclosure timeline.
No Extortion: Do not demand payment or threaten disclosure as leverage. This policy does not constitute a bug bounty program.
Scope: Only test against systems listed in the "In Scope" section above. Do not test against out-of-scope systems.
Notification: If you inadvertently access personal data or cause unintended impact, stop testing immediately and notify us.

7. Qualifying Vulnerabilities

The following are examples of vulnerability types that are within the scope of this policy. This is not an exhaustive list:

Cross-site scripting (XSS) — stored, reflected, or DOM-based
Cross-site request forgery (CSRF)
Server-side request forgery (SSRF)
SQL injection or other injection vulnerabilities (command injection, LDAP injection, etc.)
Authentication or authorization flaws (privilege escalation, broken access control)
Sensitive data exposure (unencrypted secrets, leaked credentials, PII disclosure)
Remote code execution (RCE)
Insecure direct object references (IDOR)
Security misconfigurations with demonstrable impact
Path traversal or local file inclusion
Broken cryptographic implementations

8. Non-Qualifying Issues

The following issues generally do not qualify under this policy, unless you can demonstrate a concrete, exploitable impact:

Missing security headers (e.g., X-Frame-Options, HSTS) that do not lead to a demonstrable attack
Clickjacking on pages with no state-changing or sensitive actions
Self-XSS (attacks that require the victim to paste code into their own browser console)
Missing rate limiting without a demonstrable abuse scenario
Software version disclosure without a known, exploitable vulnerability for that version
Content spoofing or text injection without demonstrable impact
Reports generated solely by automated scanning tools without manual verification of exploitability
Theoretical vulnerabilities without proof of concept
Issues in third-party dependencies that do not affect PureTensor's deployment
Reports of insecure SSL/TLS cipher suites or configurations that are mitigated by other controls

9. Acknowledgments

We maintain a hall of fame for security researchers who have responsibly disclosed valid vulnerabilities to PureTensor. If you would like to be publicly acknowledged for your contribution, please indicate this preference in your report.

Acknowledgment typically includes your name (or handle) and, optionally, a link to your website or professional profile. We will seek your approval before publishing any acknowledgment.