Security is a shared discipline. No organization — regardless of its investment in controls, encryption, monitoring, and response — can identify every vulnerability in its own systems. The security research community plays a vital role in the global effort to protect organizations and the individuals they serve. Ariana Nexus respects that role and welcomes the responsible disclosure of security vulnerabilities by external researchers acting in good faith.
This Vulnerability Disclosure Policy establishes the terms under which security researchers may report vulnerabilities in Ariana Nexus systems, the protections Ariana Nexus extends to good-faith researchers, the scope of systems and activities covered, and the process Ariana Nexus follows upon receiving a report.
If you have discovered a potential security vulnerability in any Ariana Nexus system, please report it to:
Email: security@ariananexus.com
Encryption: Ariana Nexus encourages the use of encrypted email for vulnerability reports. If you require a PGP public key for encrypted communication, request one by emailing security@ariananexus.com with the subject line "PGP Key Request."
Mail (if electronic submission is not possible): Ariana Nexus, LLC, Attn: Security Office — Vulnerability Disclosure, 1717 Pennsylvania Avenue NW, 10th Floor, Washington, D.C. 20006
To enable Ariana Nexus to evaluate and respond to your report effectively, please include as much of the following information as possible:
Acknowledgment: Ariana Nexus will acknowledge receipt of your report within five (5) business days.
Triage and Assessment: The Security Office will assess the report to determine the validity, severity, and scope of the vulnerability. This assessment may involve internal investigation, environment review, and reproduction of the reported issue.
Communication: Ariana Nexus will provide status updates at reasonable intervals during the assessment process. If we require additional information to evaluate the report, we will contact you using the method provided.
Remediation: If the vulnerability is confirmed, Ariana Nexus will develop and deploy a remediation within a timeframe commensurate with the severity of the issue:
Critical (active exploitation risk, data exposure) — Remediation target: Within 72 hours.
High (exploitable vulnerability with significant impact) — Remediation target: Within 14 days.
Medium (exploitable vulnerability with moderate impact) — Remediation target: Within 30 days.
Low (informational, minor impact, or defense-in-depth) — Remediation target: Within 90 days.
Resolution Notification: Once the vulnerability has been remediated, Ariana Nexus will notify the reporter and confirm the resolution.
Ariana Nexus follows a coordinated disclosure model. This means:
Disclosure Timeline: Ariana Nexus requests that researchers refrain from publicly disclosing the vulnerability for a period of ninety (90) days from the date Ariana Nexus acknowledges the report, or until Ariana Nexus confirms that remediation has been deployed, whichever comes first.
Extension Requests: If remediation requires additional time beyond the ninety (90) day period due to complexity, third-party dependencies, or scope, Ariana Nexus will communicate the reason and request a reasonable extension. Researchers are encouraged to work with us cooperatively to determine an appropriate disclosure timeline.
Public Acknowledgment: Upon remediation, Ariana Nexus may publish a summary of the vulnerability and the remediation in its security advisories (if applicable), crediting the researcher by name or alias if the researcher desires acknowledgment. Ariana Nexus will seek the researcher's approval before publishing any acknowledgment.
Joint Disclosure: Where appropriate, Ariana Nexus and the researcher may agree to coordinate a joint public disclosure that describes the vulnerability, its impact, and the remediation.
Ariana Nexus provides the following safe harbor protections to security researchers who comply with this Policy:
Ariana Nexus considers security research conducted in compliance with this Policy to be authorized activity. Ariana Nexus will not initiate or support legal action against researchers who:
To the extent that security research conducted in compliance with this Policy could be viewed as a violation of the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Digital Millennium Copyright Act (17 U.S.C. § 1201), or equivalent state or international laws, Ariana Nexus will not pursue civil claims against the researcher, will not refer the researcher to law enforcement solely on the basis of the research activity, and will advocate on the researcher's behalf if a third party initiates legal action related to the research, provided the research was conducted in compliance with this Policy.
Safe harbor protections apply only if the researcher:
Safe harbor is provided at Ariana Nexus's sole discretion. Ariana Nexus reserves the right to determine whether activity constitutes good-faith security research or falls outside the scope of this Policy. Activities that violate the Exclusions or that cause harm to Ariana Nexus, its clients, its partners, or any individual are not protected by this safe harbor, regardless of the researcher's stated intent.
The following systems and assets are within the scope of this Vulnerability Disclosure Policy:
The following are explicitly out of scope and must not be tested or targeted:
The following activities are strictly prohibited and are not authorized under this Policy. Engaging in any of these activities forfeits all safe harbor protections:
Ariana Nexus values the contributions of security researchers who help improve the security of our systems. Researchers who submit valid vulnerability reports in compliance with this Policy may receive:
Ariana Nexus is evaluating the establishment of a formal bug bounty program with monetary rewards for qualifying vulnerability reports. If a bounty program is established, the following elements will be defined and published: eligible vulnerability categories and severity tiers, reward amounts by severity level, eligibility criteria and exclusions, and payment process and timeline.
Until a formal bounty program is announced, valid vulnerability reports are rewarded with recognition only. Ariana Nexus reserves the right to offer discretionary rewards for exceptionally impactful reports at its sole discretion.
Target: Bug bounty program evaluation and potential launch: 2027.
Ariana Nexus's vulnerability disclosure program is designed in alignment with the following recognized frameworks and standards:
NIST Cybersecurity Framework 2.0 — ID.RA (Risk Assessment), RS.AN (Analysis). Aligned — vulnerability reports feed risk assessment and incident analysis.
NIST SP 800-171 Rev. 2 / Rev. 3 — RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation). Aligned — VDP supplements automated scanning; remediation timelines documented (Rev. 2 current for DoD/CMMC; Rev. 3 transition planned per DoD rulemaking).
ISO 27001:2022 — Annex A.8.8 — Management of Technical Vulnerabilities. Roadmap (2027) — VDP operational, certification planned.
ISO 29147:2018 — Vulnerability Disclosure (external reporting process). Aligned — this Policy follows ISO 29147 structure.
ISO 30111:2019 — Vulnerability Handling (internal response process). Aligned — triage, assessment, remediation, and notification procedures documented.
SOC 2 (Trust Services Criteria) — CC7.1 — Detection of changes, vulnerabilities. Roadmap (2026–2027) — VDP operational, audit planned.
CMMC Level 2 — Risk Assessment (RA) domain. Roadmap (2027) — VDP supplements RA controls.
DOJ Vulnerability Disclosure Framework — Good-faith security research protections. Aligned — safe harbor provisions follow DOJ 2022 CFAA charging policy guidance.
CISA Vulnerability Disclosure Policy Template — Federal VDP best practices. Aligned — Policy structure follows CISA template guidance.
Researchers must not access, copy, or transmit any Protected Health Information during the course of vulnerability research. If a researcher inadvertently encounters PHI while testing an in-scope system, the researcher must immediately cease testing, refrain from copying or storing the data, and report the encounter to security@ariananexus.com. Ariana Nexus will treat such encounters as potential security incidents and investigate accordingly.
Researchers must not access or attempt to access any system containing Controlled Unclassified Information. CUI environments are not in scope for this Policy. Any inadvertent access to CUI-marked content must be reported immediately and the content must not be copied, stored, or disclosed.
Researchers must not access, copy, or tamper with AI training data, annotation pipelines, or model evaluation environments. Vulnerabilities related to the AI Data Factory's publicly accessible interfaces (when launched) are in scope. Internal pipeline vulnerabilities should be reported by description if discovered incidentally but must not be exploited.
Researchers must not access or attempt to access any data relating to Afghan diaspora individuals, refugees, asylum seekers, or other sensitive populations. Any inadvertent exposure to such data must be reported immediately and the data must not be retained.
For procurement officers: Ariana Nexus maintains a published Vulnerability Disclosure Policy with a dedicated reporting channel, defined triage and remediation timelines, and safe harbor protections for good-faith researchers. This demonstrates that we take an open and proactive approach to vulnerability management.
For CISOs: Our VDP follows ISO 29147/30111 structure with severity-based remediation targets (72 hours for Critical, 14 days for High). Our safe harbor provisions follow DOJ 2022 CFAA charging policy guidance. We supplement the VDP with automated vulnerability scanning and third-party penetration testing (planned for 2027).
For compliance officers: Our VDP satisfies the vulnerability management components of NIST SP 800-171 (RA-5), NIST CSF 2.0, and CISA vulnerability disclosure best practices. It will be included in our SOC 2, ISO 27001, and CMMC evidence packages.
If your organization has questions about our vulnerability disclosure process or wishes to discuss coordinated security testing, contact security@ariananexus.com or +1 (202) 771-0224.
Ariana Nexus views vulnerability disclosure as a multi-year program. The following roadmap reflects our planned maturation path:
Vulnerability Disclosure Policy published. security@ariananexus.com active. Defined triage, remediation, and disclosure timelines. Safe harbor provisions. Recognition program.
PGP key published for encrypted submissions. Automated acknowledgment workflow. Vulnerability tracking in internal ticketing system.
Bug bounty program evaluation and potential launch. Annual third-party penetration testing. Security Researcher Hall of Recognition on Trust Center. SOC 2 VDP evidence package.
Managed bug bounty platform (HackerOne or Bugcrowd evaluation). Expanded scope to include future APIs and platform products. Integration with Sentinel SIEM for vulnerability intelligence.
Continuous vulnerability intelligence program. AI-assisted vulnerability triage. Coordinated disclosure partnerships with client security teams.
No Obligation to Act. Ariana Nexus will make reasonable efforts to assess and remediate confirmed vulnerabilities within the timeframes described in this Policy. However, Ariana Nexus is not obligated to remediate every reported issue, particularly those assessed as Low severity, those affecting out-of-scope systems, those requiring remediation by third-party providers (Microsoft, Cloudflare, Webflow), or those that Ariana Nexus determines do not pose a material risk. Remediation timelines are targets, not guarantees.
Safe Harbor Limitations. Safe harbor protections are provided at Ariana Nexus's sole discretion and apply only to activities conducted in strict compliance with this Policy. Ariana Nexus reserves the right to refer activities that violate this Policy to law enforcement authorities. The determination of whether activities constitute good-faith security research is made by Ariana Nexus in its sole discretion.
No Warranty of Security. The existence of this Vulnerability Disclosure Policy does not constitute a warranty or guarantee that Ariana Nexus systems are free from vulnerabilities, defects, or security flaws. Ariana Nexus expressly disclaims any such warranty.
Third-Party Systems. Ariana Nexus is not responsible for vulnerabilities in third-party platforms (Microsoft 365, Cloudflare, Webflow, Google Analytics, or any other third-party service). Reports regarding third-party platform vulnerabilities should be directed to the responsible provider.
Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ARIANA NEXUS SHALL NOT BE LIABLE FOR ANY DAMAGES ARISING FROM OR RELATED TO A RESEARCHER'S PARTICIPATION IN THE VULNERABILITY DISCLOSURE PROGRAM, INCLUDING BUT NOT LIMITED TO: DAMAGES ARISING FROM TESTING ACTIVITIES; DAMAGES ARISING FROM ARIANA NEXUS'S DECISION TO REMEDIATE OR NOT REMEDIATE A REPORTED VULNERABILITY; OR DAMAGES ARISING FROM THE DISCLOSURE OR NON-DISCLOSURE OF VULNERABILITY INFORMATION. ARIANA NEXUS'S TOTAL AGGREGATE LIABILITY UNDER THIS POLICY SHALL NOT EXCEED ONE HUNDRED DOLLARS ($100). NOTHING IN THIS SECTION SHALL LIMIT OR EXCLUDE ARIANA NEXUS'S LIABILITY FOR: (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE; OR (C) ANY OTHER LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW, INCLUDING BUT NOT LIMITED TO LIABILITY UNDER THE UK UNFAIR CONTRACT TERMS ACT 1977, THE UK CONSUMER RIGHTS ACT 2015, OR GDPR.
Dispute Resolution. Any dispute arising out of or relating to this Policy shall be subject to the dispute resolution provisions in the Terms of Use, Section 18.
