Security Disclosure Policy

Introduction: Our Commitment to Security

At Errna, a brand of Cyber Infrastructure LLC, we believe that security is a collaborative effort. The security of our systems, products, and our clients' data is a top priority. We value the contributions of independent security researchers and the broader security community in helping us maintain a secure environment. This Responsible Disclosure Policy is designed to provide clear guidelines for conducting vulnerability discovery activities and to outline our commitment to a fair and transparent process for submitting discovered vulnerabilities.

We encourage responsible reporting of any potential security issues. If you believe you have found a security vulnerability in our services, we are eager to work with you to resolve the issue promptly and ensure our platform remains safe for everyone. This document details the scope of our program, how to report a vulnerability, what you can expect from us, and our safe harbor statement.

Policy Scope: What's In and Out

This policy applies to all digital assets owned, operated, or maintained by Errna and Cyber Infrastructure LLC. We encourage research on the following:

• Any product or service on the `errna.com` domain and its subdomains.
• Our publicly accessible APIs and web services.
• Our official mobile applications.

However, the following are strictly out of scope:

• Denial of Service (DoS or DDoS) attacks.
• Physical testing of our offices or data centers.
• Social engineering (e.g., phishing, vishing) of our employees, contractors, or customers.
• Automated vulnerability scanning tools that produce high volumes of low-impact reports.
• Reports on outdated browser versions or missing security headers that do not lead to a direct, exploitable vulnerability.
• Disclosure of non-sensitive data, such as software versions or server information.

Engaging in any out-of-scope activities may result in your submission being considered invalid and could lead to protective measures being taken.

How to Report a Vulnerability

If you have discovered a vulnerability, please share the details with us by sending a secure email. Your report should be as detailed as possible to help us validate and reproduce the issue quickly.

Please include the following in your report:

• Type of Vulnerability: e.g., Cross-Site Scripting (XSS), SQL Injection, Remote Code Execution (RCE).
• Affected Asset: The specific URL, IP address, or application component that is affected.
• Detailed Description: A clear and concise description of the vulnerability and its potential impact.
• Steps to Reproduce: Provide a step-by-step guide, including any necessary scripts, code snippets, or screenshots, that will allow us to replicate the vulnerability.
• Contact Information: Your name and a secure method of contact.

Send your report to: security@errna.com. We recommend encrypting your email to protect the sensitive information it contains.

Our Commitment and What to Expect

When you responsibly disclose a vulnerability to us, we are committed to the following process:

• Prompt Acknowledgment: We will acknowledge receipt of your report within 2 business days.
• Dedicated Review: Our security team will investigate the report to validate the vulnerability. We will maintain open communication with you throughout this process.
• Timely Remediation: We will work diligently to remediate the validated vulnerability in a timely manner, based on its severity and complexity.
• Recognition: We believe in recognizing the valuable contributions of security researchers. While we do not currently offer a public bug bounty program, we are happy to provide public acknowledgment for your efforts, with your permission, once the vulnerability has been resolved.

Safe Harbor Statement

Errna and Cyber Infrastructure LLC will not initiate legal action against individuals who report security vulnerabilities and conduct their research in accordance with this policy. We consider security research and vulnerability disclosure activities conducted under this policy to be authorized and beneficial to our mutual security.

To qualify for safe harbor, you must adhere to all guidelines within this policy, including:

• Acting in good faith to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Making a genuine effort to not access or modify data that does not belong to you.
• Providing us with a reasonable amount of time to resolve the issue before any public disclosure.

We are committed to fostering a positive and collaborative relationship with the security community. Your work helps us protect our customers, and we thank you for your contribution.