Skip to main content
SophonixAI
Back to SophonixAI
LEGAL DOCUMENT // SECURITY

Security Disclosure Policy

SophonixAI takes the security of our platform and client data seriously. This Vulnerability Disclosure Policy (VDP) outlines how to responsibly report security vulnerabilities and what you can expect from us in return.

LAST UPDATEDApril 27, 2026
VERSIONv1.2
COMPLIANCEGDPR · SOC2 · ISO 27001
01

Our Commitment

Security is foundational to SophonixAI’s mission. We build AI systems that enterprise clients trust with sensitive data and critical business processes — and we hold ourselves to the same standard we set for the systems we build.

We are committed to:

  • Responding promptly and transparently to legitimate security reports.
  • Working collaboratively with security researchers in good faith.
  • Addressing verified vulnerabilities within defined timelines.
  • Never taking legal action against researchers who follow this policy.
  • Continuously improving our security posture through ongoing assessment and testing.

This policy applies to security researchers, penetration testers, clients, and any individual who discovers a potential security vulnerability in our systems.

02

Scope

The following assets are in scope for security research under this policy:

  • sophonixai.com — The primary website and all subdomains (e.g., app.sophonixai.com, api.sophonixai.com).
  • SophonixAI Platform API — Any publicly documented or discoverable API endpoints.
  • Web application — The client-facing platform, forms, authentication flows, and user interfaces.
  • Authentication & authorisation mechanisms — Login, session management, token handling, and access control systems.

Vulnerability classes of particular interest include:

  • Authentication bypasses or privilege escalation
  • SQL injection, NoSQL injection, or command injection
  • Cross-site scripting (XSS), CSRF, or clickjacking on sensitive actions
  • Insecure direct object references (IDOR) leading to unauthorised data access
  • Server-side request forgery (SSRF)
  • Sensitive data exposure (API keys, credentials, PII in responses)
  • Security misconfigurations in cloud infrastructure (open S3 buckets, etc.)
  • AI-specific vulnerabilities: prompt injection leading to data exfiltration, model inversion, or system compromise
03

Out of Scope

The following are explicitly out of scope. Reports on these items will not be actioned and may be subject to legal action if guidelines are violated:

  • Third-party services, libraries, or tools not under SophonixAI’s direct control.
  • Social engineering attacks against SophonixAI employees, contractors, or clients.
  • Physical security (office premises, hardware).
  • Denial of service (DoS/DDoS) attacks or any testing that degrades service availability.
  • Automated scanning that generates excessive load on production systems.
  • Reports based on theoretical vulnerabilities without demonstrated proof of concept.
  • Vulnerabilities in software versions we have already acknowledged as known issues.
  • Missing security headers with low impact (e.g., missing HSTS on non-sensitive subdomains).
  • Email spoofing or SPF/DKIM configuration issues unless demonstrably exploitable.
04

How to Report

To report a security vulnerability, please email us at:

security@sophonixai.com

Please include the following in your report:

  • Description — A clear description of the vulnerability, including the type (e.g., XSS, IDOR, SQL injection).
  • Affected asset — The specific URL, endpoint, or component where the vulnerability exists.
  • Steps to reproduce — A detailed, step-by-step reproduction case. The more specific, the faster we can validate and patch.
  • Proof of concept — Screenshots, HTTP request/response captures, or a video recording demonstrating the issue. Do not include actual sensitive data exfiltrated from our systems.
  • Impact assessment — Your assessment of what an attacker could achieve by exploiting this vulnerability.
  • Your contact details — Name/handle and email address for follow-up (optional for anonymous reports, but prevents us from crediting you).

For sensitive reports, you may encrypt your email using our PGP key available at sophonixai.com/.well-known/security.txt.

Please do not report vulnerabilities via social media, public GitHub issues, or our general contact form.

05

Response Commitments

We commit to the following response timeline for all valid reports submitted under this policy:

  • Initial acknowledgement: Within 48 hours of receipt during business days.
  • Triage assessment: Within 5 business days — we will confirm whether the report is accepted, provide an initial severity assessment, and give you a tracking reference.
  • Status update: Within 10 business days of triage — we will confirm our remediation plan and estimated timeline.
  • Critical / High severity patches: Target resolution within 14 days.
  • Medium severity patches: Target resolution within 30 days.
  • Low severity patches: Addressed in the next regular release cycle, typically within 90 days.
  • Coordinated disclosure: We will notify you when the vulnerability has been patched and coordinate a public disclosure timeline with you. We request a maximum of 90 days before public disclosure, in line with industry standard practice.

We will keep you informed throughout the remediation process. If we require more time due to complexity or third-party dependencies, we will communicate this proactively and agree an extended timeline.

06

Safe Harbor

SophonixAI will not initiate legal action against security researchers who:

  • Discover and report vulnerabilities in good faith in accordance with this policy.
  • Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability.
  • Do not exploit the vulnerability for any purpose beyond demonstrating its existence to us.
  • Do not disclose the vulnerability publicly before the agreed coordinated disclosure date.
  • Do not use the vulnerability to attack, disrupt, or degrade our services or those of our clients.
  • Do not conduct social engineering, phishing, or physical attacks against SophonixAI personnel.

We consider good-faith security research under this policy to be “authorised” access for the purposes of the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and equivalent legislation in other jurisdictions.

If you are uncertain whether a particular action falls within this safe harbor, please ask us before proceeding at security@sophonixai.com.

07

Researcher Guidelines

To ensure your research is conducted responsibly and does not harm our clients or services, please follow these guidelines:

  • Use test accounts only. Create dedicated test accounts for your research. Never use accounts belonging to real users or clients.
  • Minimise data access. Access only the minimum data necessary to demonstrate the vulnerability. Stop immediately upon proof of concept — do not attempt to extract, download, or enumerate data further.
  • No client data. If you inadvertently encounter what appears to be real client data, stop immediately and report it as part of your disclosure without further inspection or retention.
  • No production impact. Do not perform actions that could degrade performance, corrupt data, or disrupt access for legitimate users.
  • Automated scanning. If you must use automated tools, rate-limit requests to avoid triggering denial-of-service conditions. Do not perform aggressive scans against production systems without prior written approval.
  • One report per vulnerability. Do not chain multiple issues into one report unless they are demonstrably required to achieve the stated impact. Separate issues should be filed separately.
08

Recognition

We genuinely appreciate the effort security researchers put into making the internet safer. Researchers who report valid, in-scope vulnerabilities under this policy will be:

  • Personally acknowledged by our security team in every response.
  • Listed in our Security Hall of Fame (on this page) with their name or chosen handle, upon their consent.
  • Considered for invitation to our private security researcher programme for ongoing collaboration as the platform grows.

We do not currently operate a paid bug bounty programme, but we review this position regularly as our platform scales. Researchers who report critical vulnerabilities may receive recognition at our discretion.

We are grateful to the following researchers who have helped improve our security posture:

// No entries yet — be the first.

09

Contact

Response time for security reports: within 48 hours during business days.

© 2026 SOPHONIXAI_TECHNOLOGIES // ALL_RIGHTS_RESERVED

Privacy_PolicyTerms_of_ServiceCookie_PolicySecurity_Disclosure