Trust · disclosure

Responsible disclosure.

Coordinated, good-faith security research is welcome.

If you believe you have found a vulnerability that affects the Elyon platform, our APIs, or our infrastructure, please report it to us using the process below. We will not pursue legal action against researchers who follow this policy in good faith.

Scope

Reports are welcome on assets owned and operated by Elyon SCI, LLC:

  • app.elyonsci.ai
  • elyonsci.ai (marketing site)
  • Elyon public API endpoints
  • Authenticated Elyon application surfaces, tested only against accounts the researcher owns or has explicit permission to test

Out of scope

  • Findings that require physical access, social engineering, or denial-of-service techniques against production
  • Reports generated solely from automated scanners without demonstrated impact
  • Outdated browser warnings, missing best-practice headers without demonstrated impact, and other low-impact informational findings
  • Third-party services listed in /sub-processors. Please report directly to the vendor and notify us in parallel
  • Sub-processor or customer-tenant data accessed through accounts you do not own or operate
How to report

Send a report to security@elyonsci.ai. PGP key available on request.

A good report includes:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions, including any required setup
  • The specific URL, endpoint, or asset affected
  • Any supporting screenshots, logs, or proof-of-concept code (please redact any data not belonging to you)
  • Your preferred name or handle for acknowledgement, if any
Our commitments to you
Acknowledgement
We will acknowledge receipt of your report within two (2) business days.
Triage
We will provide an initial assessment within five (5) business days.
Updates
We will keep you informed of remediation progress on material findings.
Safe harbor
Research conducted in compliance with this policy is authorized. We will not initiate or pursue legal action against you, and we will work in good faith to clarify scope where helpful.
Credit
With your permission, we will credit you in our security acknowledgements.

What we ask of you

  • Provide reasonable time to investigate and remediate before public disclosure. We typically request 90 days for material findings, though severity and customer-impact considerations may extend or shorten this window by mutual agreement.
  • Avoid privacy violations: access only the minimum data necessary to demonstrate the vulnerability.
  • Do not exfiltrate data. Do not modify data. Do not degrade service for other customers.
  • Comply with all applicable laws and the terms of this policy.
Bounty

Elyon SCI does not currently operate a paid bug bounty program. We are evaluating one and will publish here when launched. Material reports received in the interim may receive a discretionary acknowledgement and credit.

Found something?

Email the security team with reproduction steps and impact. Safe-harbor coverage applies for research conducted under this policy.

Email securityTrust portal