← BACK TO HOME

Vulnerability Disclosure Policy

Last updated: 04 June 2026

Semurg AI welcomes reports from security researchers and the broader community. We are committed to working with you to resolve valid security issues promptly.

Scope

  • semurg.io and all subdomains
  • Semurg REST API (/api/*)
  • WebSocket endpoints and LiveView channels
  • PII Shield pipeline

Out of Scope

  • Denial of service attacks (DoS/DDoS)
  • Social engineering of Semurg employees
  • Physical security attacks
  • Issues in third-party LLM providers (report directly to the provider)

Safe Harbour

Semurg AI will not pursue legal action against researchers who act in good faith, disclose responsibly, do not access user data beyond what is necessary to demonstrate the vulnerability, and do not disrupt services or degrade user experience.

How to Report

Email: [email protected]

Include: vulnerability description, steps to reproduce, impact assessment, and proof-of-concept (if safe to share).

Response SLA

  • Acknowledgement: within 24 hours
  • Initial triage: within 72 hours
  • Critical findings remediated: within 72 hours
  • High findings remediated: within 14 days
  • Medium/low findings remediated: within 90 days
← Home Terms Privacy