Security disclosures

Effective: 13 May 2026 · Coordinated vulnerability disclosure

We take reports of security issues seriously. If you believe you have found a vulnerability in Jonarix-controlled websites, APIs, or client tooling, please follow this process so we can investigate quickly and protect users.

1. Where to report

Email support@jonarix.com with a clear subject line (for example: “Security report: SSRF in registry API”). Encrypt sensitive details with PGP if we publish a key for your reporting window; otherwise minimize sensitive data in the first message and we will provide a secure channel if needed.

For abuse of the service (spam, phishing prompts, account takeover attempts) that is not a technical vulnerability, use the same address with subject “Abuse report” or use Contact & support for general trust & safety.

2. What to include

  • Description of the issue and potential impact.
  • Steps to reproduce (requests, endpoints, timestamps in UTC).
  • Whether you have accessed or exfiltrated user data (we expect researchers to stop at the minimum proof).
  • Your contact handle for follow-up (email or Signal if offered).

3. Rules of engagement

We welcome good-faith research. Please do not:

  • Access, modify, or delete other users’ data without explicit written authorization.
  • Perform destructive testing (DoS, ransomware, physical attacks).
  • Demand payment under duress or threaten public disclosure before we have had a reasonable time to respond.

Reports that stay within these guidelines are less likely to face legal action; we still appreciate responsible handling if you make a mistake—tell us promptly.

4. Our response

We aim to acknowledge valid reports within 5 business days and will keep you informed of material status changes. Critical issues may be patched on an emergency cadence.

We may credit researchers in release notes or a hall of fame where you opt in; let us know your preferred name or if you wish to remain anonymous.

5. Scope (high level)

In scope: Jonarix production web apps, documented public APIs, official CLI where it talks to Jonarix infrastructure, and authentication flows we operate.

Typically out of scope: third-party dependencies without a clear Jonarix impact, social engineering of our staff, physical attacks, issues requiring rooted user devices, or findings already public.

6. Safe harbor

If you comply with this policy and applicable law, we will not pursue civil action or refer you for criminal investigation for accidental, good-faith violations of our acceptable use rules solely in connection with your report.

7. Product security practices

We use TLS for data in transit, least-privilege access for production systems, logging and alerting, dependency scanning, and periodic reviews of high-risk changes. SOC 2 is on our roadmap; ask your account team for the latest attestation package under NDA.

Related: Privacy policy · Terms of service

Note: Tune acknowledgment SLAs and scope to match your real incident response program and bug-bounty rules if you launch one.