Security policy

Security & Responsible Disclosure

If you have found a security issue in cyberguards.ai or its infrastructure, this page tells you how to report it, what to expect from us, and how we protect researchers acting in good faith.

Get a straight answer

How to report a vulnerability

Send an email to [email protected] with [VULNERABILITY REPORT] in the subject line. Encrypted submission is welcome; request our PGP key in the first message if you would like to use it.

A useful report includes:

  • A clear description of the issue and the class of vulnerability (e.g., XSS, SSRF, IDOR, authorization bypass).
  • The affected URL, endpoint, parameter, or component.
  • Step-by-step reproduction instructions.
  • Your assessment of impact and severity.
  • Proof-of-concept evidence — screenshots or HTTP traffic. Avoid destructive payloads.
  • Your environment (browser, OS, tools used).
  • How you would like to be contacted for follow-up.

What we commit to

  • Acknowledge your report promptly.
  • Review it and share an initial severity assessment.
  • Keep you informed of remediation progress.
  • Credit you publicly when we address the issue, if you would like to be credited.
  • Not pursue legal action against researchers who comply with this policy.

Scope

The following are in scope:

  • The CyberGuards website at cyberguards.ai and any subdomains we own.
  • Web applications and APIs operated by CyberGuards under those hostnames.
  • The CyberGuards email infrastructure (mail flow, SPF/DKIM/DMARC, account takeover paths).

Out of scope

Please do not test or report:

  • Physical security or social engineering targeting CyberGuards staff, vendors, or office space.
  • Denial-of-service attacks (volumetric or application-layer).
  • Automated scanning that produces excessive load on our systems.
  • Spam, phishing, or harassment of CyberGuards users, staff, or customers.
  • Issues in third-party services or applications that we do not own or control.
  • Issues only reachable with physical access to a user's device.
  • Engagements or systems belonging to our customers — those are governed by their separate disclosure programs.

Safe harbor for good-faith research

CyberGuards considers research conducted under this policy to be authorized. For activity consistent with the rules above:

  • We will not initiate civil or criminal claims against you.
  • We will not pursue claims under the Computer Fraud and Abuse Act (CFAA) for activity consistent with this policy.
  • We will not pursue claims under the Digital Millennium Copyright Act (DMCA) for circumvention of technology controls performed during authorized testing.
  • If a third party initiates legal action against you for activity that complied with this policy, we will make our authorization known.

This safe harbor binds CyberGuards. It does not waive third-party rights.

What we do as a security firm

CyberGuards is a penetration-testing firm. Our customers entrust us with sensitive information about their systems and findings from engagements. We treat that trust as the central thing we have to protect. Our internal security practices include:

  • Annual third-party penetration testing of our own infrastructure.
  • TLS 1.3 with strong cipher suites for all web traffic.
  • Multi-factor authentication on every employee account that touches customer data.
  • Encrypted communications and storage for engagement artifacts, with documented retention windows.
  • Just-in-time privileged access for sensitive operations.
  • Continuous monitoring of authentication and identity activity.
  • A documented incident response plan with tabletop exercises.

Contact

If you are looking to engage CyberGuards for a penetration test of your own systems, the services overview and contact page are the right starting points. This page is specifically for reporting issues you have found in our website or infrastructure.

Looking to test your own systems?

The scoping call is the same person who runs the engagement. Quick — no slides, no pitch.

Get a straight answer