Responsible Disclosure Policy

Last updated: May 31, 2025

1. Our Commitment

Draxion is committed to working with the security research community to identify and responsibly resolve vulnerabilities in our systems. We believe that coordinated vulnerability disclosure protects our customers, the broader security community, and the integrity of the systems we build.

If you discover a potential vulnerability in any Draxion system, we want to hear from you. This policy describes our expectations for researchers and our commitments in return.

2. Our Commitments to You

When you report a vulnerability in good faith under this policy, Draxion commits to:

• Acknowledge receipt of your report within 2 business days.
• Provide a substantive response within 10 business days including our initial assessment, severity classification, and proposed remediation timeline.
• Keep you informed of our progress at reasonable intervals until the vulnerability is resolved.
• Notify you when the vulnerability has been fully remediated.
• Not pursue civil or criminal legal action against researchers who act in good faith and comply with this policy.
• Credit you in our security acknowledgments if you wish and with your explicit permission.
• Treat your report as confidential. We will not share your identity or report details with third parties without your consent, except where required by law.

3. Scope

The following systems and services are in scope for this program:

• draxion.io and all subdomains (app.draxion.io, api.draxion.io, etc.)
• The Draxion web application and platform dashboard
• The Draxion REST API (v1)
• The Draxion Chrome extension (Chrome Web Store ID on file)
• Draxion mobile applications when released

The following are explicitly out of scope:

• Third-party services and infrastructure used by Draxion (Vercel, Supabase, Clerk, Arcjet) — please report these directly to the respective vendors.
• Social engineering attacks against Draxion employees, contractors, or customers.
• Physical security of any Draxion facilities or personnel.
• Volumetric denial of service (DoS) or distributed denial of service (DDoS) attacks.
• Automated scanning that generates excessive load on production systems or degrades service for other customers.
• Vulnerabilities in browser extensions other than the Draxion extension.
• Vulnerabilities requiring physical access to a user's unlocked device.
• Reports from automated scanners without manual verification of exploitability.

4. Rules of Engagement

To qualify for safe harbor under this policy, you must comply with all of the following:

• Make a good faith effort to avoid privacy violations, data destruction, service degradation, and interruption of service to other users at all times.
• Only access, modify, or exfiltrate data from accounts you own or accounts for which you have received explicit written permission from the account owner to test.
• Do not exfiltrate, modify, delete, or corrupt any data beyond the minimum necessary to demonstrate the existence of the vulnerability.
• Do not access, download, or exfiltrate any personal data belonging to Draxion customers or their employees. If you accidentally access such data, stop immediately and report it.
• Do not disclose vulnerability details to any third party until Draxion has had a reasonable opportunity to investigate and remediate — typically 90 days from acknowledgement, or as mutually agreed.
• Do not conduct testing against production accounts belonging to real Draxion customers without their explicit written consent.
• Do not use findings for any purpose other than reporting them to Draxion under this policy.
• Provide sufficient technical detail for Draxion to reproduce and verify the vulnerability before requesting remediation confirmation.

5. What to Include in Your Report

A high quality report helps us triage and remediate faster. Please include:

• A clear description of the vulnerability and its potential impact if exploited.
• Step-by-step reproduction instructions — specific enough that a Draxion engineer who did not discover the issue can reproduce it independently.
• The URL, endpoint, parameter, header, or component affected.
• Screenshots, screen recordings, HTTP request/response captures, or proof-of-concept code — where it is safe to include them.
• Your assessment of severity using the CVSS scale if possible: Critical / High / Medium / Low.
• Any conditions required to reproduce the issue (authenticated vs unauthenticated, specific browser, specific account type, etc.)
• Your contact details and preferred method of communication.

6. Priority Vulnerability Classes

We are particularly interested in vulnerabilities in the following categories, listed from highest to lowest priority:

• Cross-organization data access: Any vulnerability that allows one Draxion customer to read, write, or infer data belonging to another customer. This is our highest priority class given the sensitivity of AI governance data.
• Authentication bypass or privilege escalation: Any vulnerability allowing access to authenticated functionality without valid credentials, or elevation from Member to Admin or Owner role without authorization.
• Injection vulnerabilities: SQL injection, prompt injection against LLM components, command injection, cross-site scripting (XSS), or server-side template injection.
• Insecure direct object references (IDOR): Accessing another user's or organization's resources by manipulating object identifiers in API requests.
• Sensitive data exposure: API responses returning personal data, credentials, or internal configuration beyond what is required for the requested operation.
• Audit log integrity: Any vulnerability allowing modification or deletion of audit log entries, or bypassing the cryptographic signing that protects log integrity.
• Chrome extension vulnerabilities: Content script injection, cross-origin data leakage, or unauthorized access to extension storage or messaging.

7. Safe Harbor

Draxion considers security research conducted in accordance with this policy to be:

• Authorized access under the Computer Fraud and Abuse Act (CFAA) and equivalent laws in other jurisdictions, including the Computer Misuse Act 1990 (UK) and similar national legislation.
• Exempt from DMCA Section 1201 anti-circumvention provisions where access is necessary to conduct good-faith security research.
• Conducted in good faith and therefore not subject to civil or criminal legal action by Draxion.

If legal action is initiated by any third party against a researcher who has fully complied with this policy, Draxion will take reasonable steps to make known to the relevant authority that the research was conducted in accordance with this policy.

Safe harbor applies only where the researcher has complied with all requirements in Section 4 of this policy. Researchers who violate those requirements are not covered by this safe harbor provision.

8. Disclosure Timeline

Draxion follows a coordinated disclosure approach:

• Day 0: Researcher submits report to security@draxion.io.
• Day 1–2: Draxion acknowledges receipt and assigns a tracking reference.
• Day 1–10: Draxion provides initial assessment including severity, affected components, and remediation timeline.
• Day 10–90: Draxion works to remediate. We will provide progress updates at least every 30 days. Critical vulnerabilities are prioritized for remediation within 30 days where technically feasible.
• Day 90: Default disclosure deadline. If remediation is not complete by day 90, we will discuss an extension with the researcher. We will not request extensions beyond 120 days except in exceptional circumstances.
• Post-remediation: Draxion notifies researcher of remediation and agrees on public disclosure format and timing.

9. Contact

Submit all vulnerability reports to:

Draxion Security Team
security@draxion.io

PGP encryption is available for sensitive reports. Request our public key at the address above and we will respond with the key within 1 business day.

For general security questions that are not vulnerability reports, see our Security page.