Vulnerability Disclosure Policy
We take the security of RadMah AI seriously and value the work of security researchers who help us identify and address vulnerabilities.
Reporting a Vulnerability
Encrypt sensitive reports with our PGP key (available on request). Please include as much detail as possible to help us reproduce and assess the issue.
Your report should include:
- Clear description of the vulnerability and which asset is affected
- Detailed reproduction steps, including tools and configurations used
- Impact assessment — what data is at risk and under what conditions
- Your environment details (OS, browser, client version, deployment model)
Scope
Platform Services
Control plane APIs, management portal, authentication and authorisation endpoints, job execution pipeline
Client Applications
Web applications (app.radmah.ai, admin.radmah.ai), Python SDK, REST API
Marketing Website
radmah.ai including forms, static assets, and any server-side functionality
Evidence & Cryptography
BLAKE3 evidence chain, generation contract signing, determinism proofs, and seal verification
Safe Harbour
We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they comply with this policy. We consider security research conducted under this policy to be authorised and will not pursue civil or criminal action.
Prohibited Activities
Response Timeline
Initial acknowledgement of your report
Severity assessment and triage
Regular status updates as we investigate and remediate
Public credit with your permission
Recognition
We do not currently operate a paid bug bounty programme. We commit to crediting your contribution publicly (with your permission) and treating valid reports as engineering priorities. Significant findings may be rewarded at our discretion.