Security at CortexSage

Our Vulnerability Disclosure Policy

Last Updated: September 28, 2025

The security of our systems is a top priority. We welcome the help of security researchers in identifying potential vulnerabilities. This policy outlines how to report issues, what we expect, and what you can expect from us.

How to Report a Security Vulnerability

If you believe you have discovered a security vulnerability in a CortexSage service, please report it to us by emailing security@cortexsage.com.

Please include the following details in your report:

  • A clear description of the vulnerability, including its potential impact.
  • Detailed steps to reproduce the issue, including any URLs or code snippets.
  • Your name and contact information for follow-up questions.

Our Commitment ("Safe Harbor")

We will not take legal action against or suspend your account for any activities conducted in accordance with this policy. We consider security research and vulnerability disclosure activities to be authorized and beneficial.

We commit to:

  • Acknowledge receipt of your report promptly, typically within 3 business days.
  • Provide you with an estimated timeline for addressing the vulnerability.
  • Notify you when the vulnerability has been fixed.
  • Publicly acknowledge your contribution with your permission.

Rules of Engagement

To ensure the safety of our users and services, we ask that you:

  • Do not access, modify, or delete any user data that is not your own.
  • Do not perform any actions that could disrupt our services, such as Denial of Service (DoS) attacks.
  • Do not engage in any social engineering or phishing attacks against our employees or users.
  • Provide us with a reasonable amount of time to fix the issue before making any information public.

Exclusions

While we appreciate all reports, the following issues are generally not considered within the scope of this program:

  • Results from automated scanners without proof of a working exploit.
  • Missing best practices (e.g., missing security headers) without a demonstration of impact.
  • Self-XSS (Cross-Site Scripting) that cannot be used to attack other users.
  • Publicly known software version disclosures.
← Back to Home