Responsible Disclosure

Security at Senticor

Senticor is committed to building trustworthy AI systems that are secure by design. We take security seriously and value the contributions of security researchers and the broader security community in helping us maintain the highest standards of protection for our platform and our customers.

We encourage responsible disclosure of security vulnerabilities and are committed to working with researchers to verify, reproduce, and respond to legitimate reports.

Reporting a Security Vulnerability

If you believe you have discovered a security vulnerability in Senticor’s systems, platform, or services, please report it to us responsibly.

How to Report

Email: security@senticor.ai

PGP Key: Available at /security-pgp-key.txt for encrypted communications
PGP Fingerprint: 2AEC 4561 F4C1 83E3 FBFC 0CF9 04EB D9C9 CEFA 7A88

What to Include in Your Report

To help us quickly assess and address the issue, please include:

1. Summary: Brief description of the vulnerability type and location
2. Steps to Reproduce: Detailed instructions to reproduce the issue
3. Potential Impact: Your assessment of the security impact
4. Proof of Concept: Code, screenshots, or other evidence (if applicable)
5. Your Contact Information: Email address for follow-up communication

Please do NOT include:

• Real customer data or personally identifiable information (PII)
• Access credentials or tokens (use dummy/test data instead)
• Data exfiltrated from production systems

Program Guidelines

For Security Researchers

When testing for security vulnerabilities, we ask that you:

✅ Make a good faith effort to avoid privacy violations, data destruction, or service disruption

✅ Only interact with test accounts you own or with explicit permission from the account holder

✅ Do not access, modify, or delete data belonging to others

✅ Avoid actions that could negatively affect Senticor customers or our service availability

✅ Keep vulnerability details confidential until we’ve had a reasonable time to address the issue

✅ Follow established communication channels (security@senticor.ai)

✅ Do not exploit the vulnerability beyond what is necessary to demonstrate the issue

Our Commitments to You

When you report a security vulnerability to us, we commit to:

✅ Respond promptly to your report (within 3 business days)

✅ Keep you informed about our progress in addressing the vulnerability

✅ Work with you to understand and reproduce the issue

✅ Credit you publicly (if desired) once the issue is resolved

✅ Not pursue legal action against researchers who follow these guidelines

Program Scope

In Scope

The following assets are within scope for security research:

• senticor.ai and all subdomains (e.g., app.senticor.ai, api.senticor.ai)
• Senticor platform and services deployed under our infrastructure
• Senticor-developed applications with Senticor branding
• APIs and integrations documented in our public documentation

Out of Scope

The following are not eligible for responsible disclosure:

❌ Customer applications deployed on the Senticor platform (these belong to our customers)

❌ Third-party services and dependencies (report directly to the vendor)

❌ Physical security testing or attempts to access Senticor facilities

❌ Social engineering of Senticor employees, contractors, or customers

❌ Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks

❌ Automated scanning that generates excessive traffic or load

❌ UI/UX issues without security impact (e.g., typos, cosmetic bugs)

❌ Issues in outdated browsers or unsupported configurations

❌ Publicly disclosed vulnerabilities in third-party software (unless demonstrating novel exploitation in our context)

Vulnerability Disclosure Process

Our Response Timeline

1. Acknowledgment: Within 3 business days of report submission
2. Initial Assessment: Within 7 business days (confirm validity and severity)
3. Resolution Timeline: Varies by severity (see table below)
4. Public Disclosure: Coordinated with reporter after fix is deployed

Severity Classification

Coordinated Disclosure

We believe in coordinated disclosure and will work with you to:

• Agree on a reasonable timeline for public disclosure
• Publish security advisories for significant vulnerabilities
• Credit researchers who wish to be acknowledged
• Support your public disclosure (blog posts, conference talks) after fixes are deployed

Bug Bounty Program

Senticor is currently evaluating a formal bug bounty program. In the meantime, we may offer:

• Public recognition in our security acknowledgments page
• Swag and thank-you gifts for high-quality reports
• Direct engagement with our security engineering team

Note: We do not currently offer monetary rewards, but we deeply appreciate responsible disclosure and will acknowledge your contributions.

Security Acknowledgments

We extend our thanks to the following security researchers who have helped improve Senticor’s security:

List to be updated as researchers report vulnerabilities

Questions?

If you have questions about this policy or need clarification on scope, please contact us at:

📧 security@senticor.ai

For general support inquiries (non-security), please contact us at info@senticor.ai.

Legal Safe Harbor

Senticor considers security research conducted in accordance with this policy to be:

• Authorized in accordance with §§ 202a–202c StGB and EU Directive 2013/40/EU, and similar laws
• Exempt from restrictions in our Terms of Service that would otherwise prohibit such activities
• Lawful and helpful to the security of our platform and customers

We will not initiate legal action against security researchers who:

1. Follow this responsible disclosure policy
2. Act in good faith
3. Do not violate the privacy of our customers or employees
4. Do not intentionally harm our systems or data

Thank you for helping us build a more secure platform for trustworthy AI.

Last Updated: 2025-09-27