Home / Legal / Responsible Disclosure
§ Legal v1.2 · effective 01 Apr 2026

Responsible
disclosure.

If you have found a vulnerability in the Certius Labs platform, in a piece of research we have published, or in an agent we audit — we want to hear about it. Fast, safe, and without legal noise.

Scope

This policy covers:

  • The Certius Labs product platform (web application, API, SDK)
  • Certius Labs public research artifacts (published reports, code repositories, test suites)
  • Our corporate infrastructure (email, identity, marketing site)

It does not cover customer agents we are under contract to audit — those are governed by the individual customer engagement and must be reported to us privately rather than publicly.

How to report

  1. Email security@certiuslabs.com. PGP key fingerprint: 7B2A · 4C91 · 18DF · E025 · 6A3C · 91BF · A44D · 22E8 · 7712 · 55C1. Full key on our /.well-known/security.txt.
  2. Include: affected surface, reproduction steps, expected impact, and the earliest public-disclosure date that works for you.
  3. Do not include third-party data, customer data, or exploit payloads that would cause live damage.

What we commit to

  • Acknowledge within 24 hours of receipt. Business days, but we aim for always.
  • Triage within 5 business days. We tell you severity, whether it is in scope, and a rough timeline.
  • Remediate on a severity-weighted SLA: Critical ≤ 7 days, High ≤ 14 days, Medium ≤ 30 days, Low ≤ 90 days.
  • Keep you in the loop. Status updates at least weekly while a report is open.
  • Credit, if you want it. Hall of fame, CVE attribution, named acknowledgement in our security changelog. Anonymous is also fine.
  • Bounties. Up to €10,000 for critical findings in the platform. Full table below.

Safe-harbour statement

Good-faith security research conducted under this policy is authorised. We will not pursue civil or criminal action, nor report to law enforcement, for research that stays within scope, avoids privacy violations, and gives us a reasonable window to fix before public disclosure. If a third party brings action related to research conducted under this policy, we will state that the activity was authorised and will defend the claim where appropriate. — Certius Labs, binding commitment

Out of scope

  • Social engineering of Certius Labs employees or contractors
  • Denial-of-service attacks against production infrastructure
  • Physical security testing of our offices
  • Findings based solely on outdated browser versions or missing best-practice headers without demonstrated impact
  • Exploit chains that require compromising a customer's credentials first

Bounty table

SeverityRangeTypical finding
Critical€5,000 – €10,000Remote code execution, authentication bypass, exfiltration of customer audit data.
High€1,500 – €5,000Privilege escalation, stored XSS with impact, severe SSRF.
Medium€300 – €1,500CSRF with sensitive action, IDOR on non-critical object, limited information disclosure.
Low€50 – €300Low-impact information disclosure, self-XSS, hardening recommendations.

When we disagree

If we mark something out of scope and you disagree, email a founder directly — andrew@certiuslabs.com. We read everything. We would rather pay a bounty on a marginal finding than have a reporter feel we brushed them off.

This policy is adapted from the disclose.io Core Terms. Rev 1.2 · effective 01 April 2026.