Security & Vulnerability Disclosure
Our security practices and how to report a vulnerability.
Last updated July 12, 2026
1. Purpose
Haruspex (“Haruspex”, “we”, “our”, or “us”) is committed to maintaining the security, integrity, and availability of our platform and services.
We appreciate the efforts of security researchers and members of the security community who responsibly disclose potential vulnerabilities. This Security & Vulnerability Disclosure Policy explains how security issues should be reported and how Haruspex responds to them.
This policy applies to:
- Haruspex.guru
- All official Haruspex web applications
- Public APIs
- AI services operated by Haruspex
- Other services explicitly owned and operated by Haruspex
This policy does not create any contractual relationship between Haruspex and any researcher.
2. Scope
The following systems are considered in scope:
- Haruspex.guru
- Official web applications
- User dashboard
- Authentication systems
- Public APIs
- AI interaction endpoints
- Public documentation
- Public infrastructure operated by Haruspex
Third-party services are outside the scope of this policy and should be reported directly to their respective providers.
Examples include:
- Cloud hosting providers
- Email delivery providers
- CDN providers
- Analytics platforms
- Identity providers
- Third-party integrations
3. Responsible Disclosure
If you believe you have discovered a security vulnerability, we ask that you:
- Report it privately.
- Provide sufficient technical details.
- Avoid public disclosure until we have had reasonable time to investigate.
- Avoid actions that could negatively impact users.
- Cooperate with our investigation if additional information is requested.
4. How to Report
Security reports should include, where possible:
- Description of the vulnerability
- Steps to reproduce
- Affected URL or endpoint
- Potential impact
- Proof-of-concept
- Screenshots if relevant
- Logs or HTTP requests where applicable
Reports may be submitted via:
Email: legal@haruspex.guru
5. Good Faith Research
Haruspex considers research to be conducted in good faith when it is intended to improve security and complies with this policy.
Researchers acting in good faith should:
- Avoid privacy violations.
- Avoid destruction of data.
- Avoid service disruption.
- Avoid unauthorized access beyond what is necessary to demonstrate the issue.
- Stop testing immediately after confirming a vulnerability.
6. Prohibited Activities
The following activities are prohibited:
- Social engineering
- Physical attacks
- Phishing
- Spam
- Malware deployment
- Ransomware
- Denial-of-Service (DoS)
- Distributed Denial-of-Service (DDoS)
- Credential stuffing
- Password spraying
- Brute-force attacks
- Data destruction
- Data modification
- Extortion
- Blackmail
- Accessing accounts belonging to other users
- Downloading personal information
- Persisting access after vulnerability confirmation
- Installing backdoors
- Cryptocurrency mining
- Exploiting third-party infrastructure
7. Privacy During Testing
Researchers must respect user privacy.
Do not:
- Access personal information unnecessarily.
- Read private conversations.
- Access uploaded documents.
- Collect authentication credentials.
- Copy production databases.
- Exfiltrate user data.
If personal information is accidentally accessed, it must:
- Not be copied
- Not be retained
- Not be shared
- Be reported immediately
8. Safe Harbor
Provided that researchers:
- Act in good faith;
- Follow this policy;
- Avoid privacy violations;
- Avoid service disruption;
- Report vulnerabilities promptly; and
- Do not exploit vulnerabilities for personal gain,
Haruspex generally will not pursue legal action solely for security research conducted in accordance with this policy.
This statement does not grant authorization to violate applicable laws or regulations.
Haruspex reserves all legal rights regarding malicious, reckless, fraudulent, or unlawful conduct.
9. Response Process
After receiving a report, Haruspex generally aims to:
- Acknowledge receipt within a reasonable timeframe.
- Review the report.
- Validate the vulnerability.
- Assess severity.
- Develop a remediation plan.
- Deploy a fix where appropriate.
- Notify the reporter when the issue has been resolved, where feasible.
Response times may vary depending on complexity and operational priorities.
10. Severity Assessment
Vulnerabilities may be prioritized based on factors including:
- Confidentiality impact
- Integrity impact
- Availability impact
- Ease of exploitation
- Authentication requirements
- User interaction requirements
- Scope of affected systems
- Potential business impact
- Potential customer impact
Haruspex may use industry-standard vulnerability scoring methodologies, including CVSS, where appropriate.
11. Bug Bounty
At this time, Haruspex does not operate a public bug bounty program.
Submission of a vulnerability does not create any entitlement to:
- Financial compensation
- Rewards
- Employment
- Consulting opportunities
- Public recognition
Haruspex may, at its sole discretion:
- Thank researchers publicly
- Offer non-monetary recognition
- Launch a future bug bounty program
12. Coordinated Disclosure
We encourage coordinated disclosure.
Researchers should allow Haruspex a reasonable opportunity to investigate and remediate vulnerabilities before public disclosure.
If public disclosure is planned, we request advance notice whenever reasonably possible.
13. Exclusions
The following generally do not qualify as reportable vulnerabilities unless additional security impact is demonstrated:
- Missing HTTP headers
- Missing best-practice security headers
- Clickjacking on pages with no sensitive functionality
- Outdated software without a demonstrated exploit
- Self-XSS
- Rate limiting suggestions without demonstrated abuse
- Missing email security records
- Weak password policies without exploitation
- Information disclosed through public documentation
- Previously reported issues
- Recently fixed vulnerabilities
- Cosmetic issues
- Spelling mistakes
- UI bugs
- Performance issues
- Feature requests
14. Security Practices
Haruspex employs security measures intended to protect our systems and users, which may include:
- Encryption in transit
- Encryption of sensitive stored data where appropriate
- Authentication controls
- Access controls
- Principle of least privilege
- Infrastructure monitoring
- Logging
- Security updates
- Vulnerability management
- Dependency management
- Backup procedures
- Incident response procedures
No security measure can guarantee absolute protection.
15. Security Incidents
Where required by applicable law or where Haruspex determines notification is appropriate, affected users may be informed of significant security incidents.
Notifications may include:
- Nature of the incident
- Systems affected
- Data involved, where known
- Mitigation steps
- Recommended user actions
Haruspex may delay disclosure where necessary to:
- Protect ongoing investigations
- Prevent additional harm
- Comply with legal obligations
16. Changes to This Policy
Haruspex may update this Security & Vulnerability Disclosure Policy at any time.
The updated version becomes effective upon publication on Haruspex.guru unless otherwise stated.
Continued use of the Services after updates constitutes acceptance of the revised policy.
17. Contact
Security reports and questions regarding this policy should be directed to:
Security Team Haruspex
Email: legal@haruspex.guru