Vulnerability
Disclosure Policy
Standard Intelligence maintains a public vulnerability disclosure policy in line with our Secure by Design commitments. If you have identified a security issue, this page explains how to report it and what to expect from us.
Our commitment
We take security seriously and we expect people to find issues in our platform. Security research is valuable and we are committed to working constructively with researchers who identify vulnerabilities responsibly.
We will not pursue legal action against researchers who act in good faith under this policy. We will keep you informed of the progress of your report. Where a fix is significant, we will credit you in our public disclosure — or keep your identity private, if you prefer.
Response SLAs
Scope
- → platform.standardintelligence.eu (main app)
- → api.standardintelligence.eu (REST API)
- → Authentication and SSO integration points
- → Tenant isolation and data segregation
- → Document output and submission package integrity
- → AI Navigator citation validation and prompt injection
- ✕ Denial-of-service attacks
- ✕ Social engineering of Standard Intelligence staff
- ✕ Physical access attempts
- ✕ Third-party services (AWS, Anthropic, etc.)
- ✕ Testing against other tenants' data without consent
- ✕ Automated vulnerability scanning without prior approval
How to report
Email [email protected]. Our PGP key is available on the keyserver at keys.openpgp.org for sensitive disclosures.
Include the affected URL or endpoint, steps to reproduce, the potential impact, and any supporting screenshots or HTTP captures. More detail accelerates triage.
We acknowledge within 24 hours. Please do not publish details of the vulnerability before we have had the opportunity to investigate and deploy a fix.