Responsible Disclosure

Responsible Disclosure

Last updated: 19th November 2025

We appreciate security research that helps keep our customers safe. This policy explains how to report vulnerabilities to Aneo and what you can expect from us. It applies to aneo.io and all subdomains and aliases, for example app.aneo.io, api.aneo.io, docs.aneo.io, status.aneo.io, and any future subdomains under *.aneo.io.

Our goal is a respectful, safe, and coordinated process. If you act in good faith and follow this policy, Aneo will not pursue legal action.

 

How to report

Send your report to rd@aneo.io. You may encrypt with our PGP key below.

Please include:

  • Affected asset or URL

  • Vulnerability type and clear impact

  • Step by step reproduction

  • Minimal proof of concept code or screenshots

  • Suggested severity and CVSS v3.1 vector if known

  • Your research timeline and the IPs or accounts used

We prefer reports in English. Do not include personal data unless required to demonstrate impact. If you encounter personal data, stop testing and include a general description only.

 

Our commitment

  • We acknowledge your report within 5 business days.

  • We provide an initial assessment within 10 business days.

  • We keep you updated at least every 21 days until resolution.

  • We fix validated issues based on severity and risk.

  • We offer recognition in our Hall of Fame if you wish. No paid bounty at this time.

 

Safe harbor

  • If you make a good faith effort to comply with this policy, we consider your research authorized.

  • We will not initiate legal action or law enforcement investigation for your research under this policy.

  • We will work with you to understand and resolve the issue. If a third party brings a claim, we will make it clear that your actions were authorized under this policy.

This safe harbor does not apply to actions that are illegal or harmful, including exfiltrating data, affecting availability, privacy violations, or risks to users.

 

Rules of engagement

  • Use only accounts you own or test accounts you have explicit permission to use.

  • Do not access, modify, or store data that is not yours. If you discover data exposure, stop and report the minimal details.

  • Do not perform actions that degrade service. No denial of service. No automated traffic that could impact availability.

  • Do not attempt social engineering, phishing, physical security testing, or influence our employees or customers to disclose information.

  • Do not spam, brute force at scale, or run vulnerability scanners that generate excessive traffic.

  • Keep exploit attempts to the minimum required to demonstrate impact.

 

In scope

We are interested in vulnerabilities that could affect confidentiality, integrity, or availability, for example:

  • Authentication and session management flaws

  • Authorization bypass, IDOR, and access control issues

  • SQL injection and other injection flaws

  • Cross site scripting with meaningful impact

  • Cross site request forgery leading to state change

  • Server side request forgery with data access or pivot

  • Misconfigured cloud storage or CORS that exposes data

  • Leakage of secrets or credentials

  • Security misconfigurations that lead to data access or takeover

Out of scope

The following are generally not in scope unless you can demonstrate a clear, user impacting risk:

  • Self XSS and content spoofing without impact

  • Clickjacking on non sensitive pages

  • CSRF on logout or non state changing actions

  • Missing security headers or low impact TLS issues

  • Rate limiting suggestions without demonstrated exploitation

  • Version disclosure or descriptive error messages without exploit

  • SPF, DKIM, DMARC configuration suggestions without abuse impact

  • Issues in third party services we do not control

 

Coordinated disclosure

  • Please allow us time to remediate before public disclosure.

  • Our standard timeline is 90 days from acknowledgement or earlier by mutual agreement.

  • We will credit you in our Hall of Fame after a fix, unless you prefer to remain anonymous.

 

PGP key

Fingerprint: [insert fingerprint]
Public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
[insert PGP key]
-----END PGP PUBLIC KEY BLOCK-----

 

Privacy and data handling

Reports may contain personal data. We use report information only to investigate and remediate security issues. We store reports securely and share them internally on a need to know basis. See our Privacy Policy and Data Processing Agreement for more about how we handle data.

 

Legal

This policy does not grant rights to access or use our systems beyond what is described here. Testing must comply with applicable law. For full terms see the Terms of Service and Acceptable Use Policy.

 

Changes

We may update this policy. The Last updated date shows the current version. Continued testing after changes means you accept the updated policy.