Assay Cyber operates this site (assaycyber.com), the email infrastructure on the assaycyber.com domain, and supporting client-engagement systems used in the delivery of advisory services. This policy describes how to report a security issue affecting any of those systems, what we commit to in response, and the boundaries that responsible-disclosure researchers should observe.
Scope
This policy covers:
- The assaycyber.com website and any subdomains
- Email and DNS infrastructure operated under the assaycyber.com domain
- Client-facing systems we directly operate in the course of an engagement
This policy does not cover client systems we have advised on but do not operate, third-party services integrated into our infrastructure, or vulnerabilities in upstream platforms (Cloudflare, Google Workspace, GitHub, etc.) that should be reported to those vendors directly.
Reporting a vulnerability
We accept reports through the contacts published in our security.txt file or directly via the email below. Encrypted reports are accepted; if you require a PGP key, request one in your initial message and we will provide it.
Useful reports include: a clear description of the issue, the affected system or URL, steps to reproduce, the potential impact, and any references to public CVEs or related research. A proof-of-concept is helpful but not required.
What you can expect
We acknowledge legitimate reports within five business days. Confirmed issues are triaged and remediated on a timeline proportional to severity. We will keep you informed of progress and notify you when the issue is resolved. We do not currently operate a paid bug bounty program; meaningful contributions are credited publicly with the reporter's permission.
Safe harbor
We will not pursue legal action against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, service degradation, and destruction of data
- Limit testing to systems within scope
- Refrain from disclosing the issue publicly until we have had reasonable time to respond and remediate
If you are uncertain whether a planned action falls within this policy, contact us first and ask. We would rather have the conversation than discover the question after the fact.
Out of scope
The following do not require formal disclosure but may still be reported as feedback:
- Reports generated by automated scanners without manual verification
- Missing security headers without demonstrable exploitability
- Username enumeration on services where this is by design
- Issues affecting only outdated browsers or unsupported platforms
- Social engineering of personnel
- Physical security of any premises
This policy is reviewed annually and updated as our infrastructure or services change. Material updates will be reflected in the Expires field of our security.txt file and noted in the document history below.
Document history
2026-04-19 · Initial publication.