Vulnerability Disclosure Policy

Effective Date: May 22, 2026

ArcGlass values the work of the security research community and is committed to maintaining the security of our customers' data. This Vulnerability Disclosure Policy ("Policy") describes how to report a security issue to us, what is in and out of scope, and what you can expect from us in return.

1. Scope

The following ArcGlass-operated assets are in scope:

  • arcglass.io and its subdomains
  • console.arcglass.io (the ArcGlass web application)
  • The ArcGlass API endpoints reachable from the application

The following are out of scope:

  • Third-party services, integrations, and infrastructure operated by vendors (e.g., Render, Cloudflare, Slack, Microsoft, Google, payment processors). Please report issues with those services directly to the relevant vendor.
  • Social-engineering attacks against ArcGlass employees, contractors, or customers.
  • Physical attacks against ArcGlass facilities, equipment, or personnel.
  • Denial-of-service attacks (volumetric, brute-force, or otherwise).
  • Issues requiring physical access to a user's device, or that can only be exploited by an attacker who already controls the device or browser session.
  • Findings from automated scanners without a working proof of concept.
  • Best-practice or policy recommendations (e.g., missing security headers, weak TLS ciphers) that do not demonstrate an exploitable impact.

2. How to Report

Send your report to legal@arcglass.io with the subject line "Security Vulnerability Report". Please include:

  • A clear description of the vulnerability and its impact.
  • Step-by-step reproduction instructions, including any URLs, payloads, request/response samples, or screenshots needed to reproduce the issue.
  • The version, build, or commit affected if known.
  • Your name and contact information (if you wish to be credited).
  • Whether you intend to publish details and, if so, an indication of your disclosure timeline.

If the report contains sensitive information, please encrypt it. We will provide a PGP key on request.

3. Safe Harbor

ArcGlass considers security research conducted in good faith and in accordance with this Policy to be authorized. We will:

  • Not pursue or support any legal action against you for accidental, good-faith violations of this Policy.
  • Work with you to understand and resolve the issue promptly.
  • Recognize your contribution publicly if you are the first to report the issue and we make a code or configuration change based on your report (subject to your consent).

To stay within safe harbor, you must:

  • Make a good-faith effort to avoid privacy violations, degradation of the user experience, disruption to production systems, and destruction or manipulation of data.
  • Stop testing and submit a report as soon as you discover a vulnerability.
  • Only interact with accounts you own or with explicit permission from the account holder.
  • Not exfiltrate, store, share, transfer, or process user data beyond what is necessary to demonstrate the vulnerability.
  • Not publish or share the vulnerability with third parties until ArcGlass has had a reasonable opportunity to investigate and remediate.
  • Comply with all applicable laws.

If you are unsure whether a specific action is authorized, please contact us first.

4. Our Response Commitments

When you report an issue under this Policy, you can expect us to:

  • Acknowledge receipt of your report within 5 business days.
  • Provide an initial triage assessment within 10 business days.
  • Keep you informed of remediation progress at reasonable intervals.
  • Notify you when the issue has been remediated.

We do not currently operate a paid bug-bounty program. We may recognize valid, original reports publicly (e.g., on a security acknowledgments page), subject to your consent.

5. Coordinated Disclosure

We ask that you do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and remediate. We aim to remediate valid, high-severity issues within 90 days of triage; we will work with you on a coordinated disclosure timeline if more time is needed.

6. Changes to This Policy

ArcGlass may update this Policy from time to time. Material changes will be indicated by updating the Effective Date above. The current version of this Policy always governs.

7. Contact

For security reports or questions about this Policy, contact:

ArcGlass
Email: legal@arcglass.io