Vulnerability Disclosure Policy (VDP)

1 Purpose

Security is a core value at Axinom. The purpose of this Vulnerability Disclosure Policy (VDP) is to provide a clear, secure, and responsible mechanism for external parties to report potential security vulnerabilities found in Axinom products or services.

2 Scope

This policy applies to all publicly accessible and officially released Axinom software, SaaS offerings, APIs, mobile applications, cloud infrastructure, and associated documentation. Unless explicitly stated, the following are out of scope:

Third‑party services or libraries not under Axinom’s control.
Vulnerabilities in systems hosted by customers on‑premises.
Social‑engineering attacks against Axinom staff or customers.

If you are unsure whether an asset is in scope, please email us before testing.

3 Our Commitment to Security Researchers

Axinom welcomes reports from security researchers, customers, and the wider community. We commit to:

Acknowledgement. Confirm receipt of your report within 2 business days.
Assessment. Provide an initial evaluation and severity rating (CVSS) within 5 business days.
Communication. Keep you informed of remediation progress at least every 15 days until resolution.
Resolution. Make reasonable efforts to remediate validated vulnerabilities promptly, prioritised by severity and impact.

Note: Axinom currently operates a non‑monetary program and does not offer cash bounties.

4 Reporting a Vulnerability

4.1 What to Include

Provide as much detail as possible, such as:

Affected product name, version, and environment (e.g., staging, production).
Step‑by‑step reproduction instructions.
Proof‑of‑concept code or screenshots.
Impact assessment and potential exploit scenario.
Your preferred contact information and public PGP key (optional).

4.2 How to Submit

Email: security@axinom.com

All submissions will be handled under strict confidentiality.

5 Researcher Guidelines

To help us triage and fix issues quickly while ensuring legality and safety, please:

Test only against assets you know are in scope.
Avoid actions that could harm data or disrupt services for other users.
Do not access, modify, or destroy data that does not belong to you.
Do not publicly disclose the vulnerability or any data obtained until we have resolved the issue and mutually agreed on disclosure timing.
Comply with all applicable laws.

6 Safe Harbor Statement

If you comply in good faith with this policy, Axinom will not pursue legal action or refer the matter to law enforcement, and any DMCA or similar restrictions are waived. If legal action is initiated by a third party against you for lawful research under this policy, Axinom will take steps to make it known that your actions were conducted in compliance with this VDP.

7 Our Vulnerability Handling Process

Triage & Severity Rating. Axinom’s Security Team assigns a CVSS score and risk category.
Fix Planning. Engineering teams develop remediation steps; timelines follow severity:
- Critical: fix deployed within 14 days.
- High: within 30 days.
- Medium/Low: within 90 days.
Validation. Researcher confirmation requested where practical.
Disclosure Coordination. Axinom publishes security advisories once a fix or mitigation is available, or after 90 days, whichever comes first.

8 Public Disclosure

We aim for coordinated disclosure. Axinom will notify the reporter when the issue is resolved so they may disclose responsibly. If no response is received from the reporter within 15 days of our fix notice, Axinom may proceed with public disclosure.

9 Out‑of‑Scope Vulnerabilities

Findings are out of scope unless you can demonstrate a credible attack that impacts the confidentiality, integrity, or availability (CIA) of Axinom systems or data. Configuration weaknesses or best‑practice gaps without proven exploitability will be treated as informational and may be declined.

Examples (non‑exhaustive):

SPF, DKIM, or DMARC misconfigurations without a viable spoofing or phishing scenario.
Missing or weak security headers (e.g., HSTS, CSP) that do not lead to an exploit path.
Clickjacking on pages with no sensitive actions.
Use of outdated browser versions where no Axinom mitigation is bypassed.
Denial‑of‑Service via excessive automated requests (unless the technique is novel or results in persistent service impact).

10 Privacy and Data Protection

All vulnerability information is processed under Axinom’s Privacy Policy and retained only as long as necessary for remediation and compliance.

11 Contact Information

Primary Contact: security@axinom.com
Alternate Contact: https://axinom.atlassian.net/servicedesk

12 Legal Notice

This policy does not grant permission to perform security testing beyond the scope described. Axinom reserves the right to update or withdraw this policy at any time. Nothing in this document constitutes a waiver of Axinom’s rights under applicable law.

13 Review & Updates

This VDP will be reviewed annually or following significant product or regulatory changes. The next scheduled review is 2 June 2026.

14 Version History

Version	Date	Author	Change Description
1.0	2025‑06‑02	Axinom Security Team	Initial release

Thank you for helping us keep Axinom and our customers safe.

1 Purpose​

2 Scope​

3 Our Commitment to Security Researchers​

4 Reporting a Vulnerability​

4.1 What to Include​

4.2 How to Submit​

5 Researcher Guidelines​

6 Safe Harbor Statement​

7 Our Vulnerability Handling Process​

8 Public Disclosure​

9 Out‑of‑Scope Vulnerabilities​

10 Privacy and Data Protection​

11 Contact Information​

12 Legal Notice​

13 Review & Updates​

14 Version History​