Responsible disclosure.
Coordinated, good-faith security research is welcome.
If you believe you have found a vulnerability that affects the Elyon platform, our APIs, or our infrastructure, please report it to us using the process below. We will not pursue legal action against researchers who follow this policy in good faith.
Reports are welcome on assets owned and operated by Elyon SCI, LLC:
- app.elyonsci.ai
- elyonsci.ai (marketing site)
- Elyon public API endpoints
- Authenticated Elyon application surfaces, tested only against accounts the researcher owns or has explicit permission to test
Out of scope
- Findings that require physical access, social engineering, or denial-of-service techniques against production
- Reports generated solely from automated scanners without demonstrated impact
- Outdated browser warnings, missing best-practice headers without demonstrated impact, and other low-impact informational findings
- Third-party services listed in /sub-processors. Please report directly to the vendor and notify us in parallel
- Sub-processor or customer-tenant data accessed through accounts you do not own or operate
Send a report to security@elyonsci.ai. PGP key available on request.
A good report includes:
- A clear description of the vulnerability and its potential impact
- Step-by-step reproduction instructions, including any required setup
- The specific URL, endpoint, or asset affected
- Any supporting screenshots, logs, or proof-of-concept code (please redact any data not belonging to you)
- Your preferred name or handle for acknowledgement, if any
- Acknowledgement
- We will acknowledge receipt of your report within two (2) business days.
- Triage
- We will provide an initial assessment within five (5) business days.
- Updates
- We will keep you informed of remediation progress on material findings.
- Safe harbor
- Research conducted in compliance with this policy is authorized. We will not initiate or pursue legal action against you, and we will work in good faith to clarify scope where helpful.
- Credit
- With your permission, we will credit you in our security acknowledgements.
What we ask of you
- Provide reasonable time to investigate and remediate before public disclosure. We typically request 90 days for material findings, though severity and customer-impact considerations may extend or shorten this window by mutual agreement.
- Avoid privacy violations: access only the minimum data necessary to demonstrate the vulnerability.
- Do not exfiltrate data. Do not modify data. Do not degrade service for other customers.
- Comply with all applicable laws and the terms of this policy.
Elyon SCI does not currently operate a paid bug bounty program. We are evaluating one and will publish here when launched. Material reports received in the interim may receive a discretionary acknowledgement and credit.