Responsible Disclosure Policy

1. Purpose

The security of Recursite, InterNeuron Labs systems, and user data is a priority. We appreciate the work of security researchers acting in good faith to identify and report potential vulnerabilities.

• This policy describes how to report potential vulnerabilities responsibly and what researchers can expect from us.
• Our goal is coordinated remediation and disclosure that reduces risk to users, customers, systems, and data.
• If a vulnerability affects multiple organizations, please submit separate reports to each affected organization so each can assess and address its own exposure.

2. Scope of Systems

• This policy applies to internet-facing systems, applications, APIs, websites, and web experiences owned, operated, or controlled by InterNeuron Labs or Recursite.
• It includes production Recursite services, related authentication flows, public web applications, and other online systems under our control.
• It does not apply to third-party systems, services, vendors, libraries, integrations, identity providers, payment processors, or hosting providers that we do not own or control, even if they interact with Recursite.
• Please follow the responsible disclosure policies of third-party systems when testing or reporting issues that affect them.

3. Scope of Vulnerabilities

We welcome clear reports of technical vulnerabilities with reproducible security impact.

• Access control flaws, authorization bypasses, privilege escalation, insecure direct object references, and account or tenant isolation issues.
• Injection vulnerabilities, including SQL injection, command injection, server-side request forgery, template injection, and similar server-side flaws.
• Cross-site scripting, cross-site request forgery with meaningful impact, open redirects with security impact, and client-side vulnerabilities that expose user data or account security.
• Authentication, session management, token handling, OAuth, or account recovery issues that could compromise accounts or sensitive data.
• Sensitive data exposure, misconfigured storage, insecure API behavior, or information disclosure with a concrete impact.
• Meaningful security misconfigurations, dependency risks, or business logic flaws that could affect confidentiality, integrity, availability, or user safety.

4. Out-of-Scope Vulnerabilities and Activity

The following are generally out of scope unless you can demonstrate a concrete, exploitable security impact.

• General best-practice findings without a working proof of concept, such as broad SSL/TLS recommendations, missing security headers without impact, or cookie flag observations without exploitability.
• Physical attacks, social engineering, phishing, vishing, spam, or attempts to deceive employees, contractors, users, or support teams.
• Denial-of-service testing, resource exhaustion, stress testing, destructive testing, high-volume automated scanning, or activity that degrades service availability.
• Rate limiting, brute-force, or enumeration findings on unauthenticated endpoints without demonstrated account or data compromise.
• Clickjacking on pages with no sensitive actions, reflected file downloads, self-XSS, logout CSRF, or issues requiring unlikely user behavior without meaningful impact.
• Reports based solely on publicly known vulnerable software without evidence that Recursite is affected and exploitable.
• Content issues involving model prompts, outputs, jailbreaks, or policy behavior unless they also include a distinct technical security vulnerability.
• Dependency confusion, dependency hijacking, or zero-day issues with no available patch or less than 30 days since public patch availability, unless actively exploitable against Recursite.

5. How to Submit a Report

Email disclosure@interneuronlabs.com with one vulnerability per report. Detailed, reproducible reports help us triage quickly.

• Provide the vulnerability type, severity estimate, affected URL, endpoint, account, feature, or system location.
• Include clear steps to reproduce, expected versus actual behavior, and any prerequisites such as test account roles or configuration.
• Include supporting evidence such as request and response captures, screenshots, screen recordings, logs, code snippets, or proof-of-concept scripts.
• Describe the potential impact, affected users or data, exploitability, and any recommended remediation.
• Tell us whether you accessed any data that was not yours, whether testing is ongoing, and whether you intend to publish details.
• Avoid submitting multiple unrelated vulnerabilities in one report. Separate reports make triage, tracking, and remediation clearer.

6. Researcher Guidelines

• Act in good faith and comply with all applicable laws.
• Use accounts and data you own or are authorized to test with.
• Avoid privacy violations, data destruction, data exfiltration, persistence mechanisms, malware, lateral movement, and service disruption.
• Do not exploit a vulnerability beyond what is minimally required to demonstrate validity and impact.
• Do not access, modify, copy, retain, disclose, or use data that does not belong to you, except for the minimum inadvertent access needed to prove the issue.
• If you unintentionally access sensitive data, stop testing immediately, do not retain the data, and include the details in your report.
• Do not publicly disclose vulnerability details until we have had a reasonable opportunity to validate and remediate the issue and disclosure timing has been coordinated.
• Do not request payment as a condition of disclosure, make threats, or engage in extortion.

7. Our Commitments

Good-faith reports will be taken seriously and handled with care.

• We aim to acknowledge receipt of good-faith reports within three business days.
• We will triage reports, attempt to validate findings, and prioritize remediation based on severity, exploitability, affected systems, and user risk.
• We may contact you for additional information needed to reproduce, assess, or remediate a finding.
• We will make reasonable efforts to keep you updated as investigation and remediation progress.
• With your permission, we may credit your contribution in public acknowledgments if we choose to publish them.
• We will not intentionally disclose your identity or contact information without your consent unless required by law, legal process, or safety obligations.

8. Safe Harbor

• If you make a good-faith effort to comply with this policy, InterNeuron Labs does not intend to pursue legal action solely for your authorized security research and responsible disclosure.
• Safe harbor applies only to research that is lawful, non-destructive, limited to in-scope systems, and conducted in accordance with this policy.
• Safe harbor does not apply to extortion, threats, privacy violations, data exfiltration, service disruption, social engineering, physical attacks, or activity involving systems you are not authorized to test.
• This statement does not waive any rights or obligations we may have under applicable law, and we may be required to cooperate with law enforcement or regulators in some circumstances.

9. Coordinated Public Disclosure

• We support responsible public disclosure after vulnerabilities are validated and remediated or otherwise mitigated.
• Please tell us in your report if you intend to disclose publicly and include your proposed timeline.
• We ask that you avoid sharing exploit details, affected users, or sensitive system information before coordinated timing is agreed.
• Researchers remain free to report similar vulnerabilities to other affected services, and this policy is not intended to restrict reports to other organizations.

10. Policy Updates

• We may update this policy from time to time by publishing a revised version and updated date.
• Reports submitted before policy updates are generally handled under the policy version in effect at submission time.

11. Contact

• Security reporting: disclosure@interneuronlabs.com
• Questions about this policy: disclosure@interneuronlabs.com
• General support: hello@interneuronlabs.com