Skip to content

Legal · last updated April 19, 2026

Security Disclosure.

Acilox LLP (“Acilox,” “we,” “our”) welcomes reports of security vulnerabilities from researchers and customers. This page explains how to report issues responsibly and what you can expect from us.

Scope

In scope for coordinated disclosure:

  • acilox.com and public web properties we operate;
  • *.acilox.com subdomains under our control;
  • Acilox Labs web applications and documented APIs for customer environments you are authorized to test.

Out of scope (examples)

  • Third-party services not operated by Acilox (report issues to those vendors);
  • Physical security, social engineering against individuals, or spam reports;
  • Denial-of-service attacks or resource exhaustion tests without prior written approval;
  • Issues requiring outdated browsers or clearly informational scan findings without demonstrated impact;
  • Content complaints unrelated to security (use abuse or legal channels).

Safe harbor

If you comply with this policy — including avoiding privacy violations, data destruction, service disruption, and exfiltration beyond minimal proof-of-concept — we will not pursue civil or criminal action against you for good-faith research, and we will work with you to understand and remediate valid reports.

How to report

Email security@acilox.com with: affected domain or product, reproduction steps, impact assessment, and whether you believe the issue is actively exploited. If you would like to encrypt your report, request our current PGP public key in your first message and we will exchange keys before you share details.

Response targets

  • Acknowledgment: within 3 business days of receipt for valid reports;
  • Triage: initial severity assessment within 7 business days where information is sufficient.

Complex issues may take longer; we will keep you reasonably informed for critical vulnerabilities.

Recognition

With your consent, we may credit researchers on our security hall of fame at /trust/security. Publication timing aligns with remediation.

Bug bounty

We do not operate a paid bug bounty program at this time. This policy does not create a contract for compensation.

Contact us

Security reports: security@acilox.com. Related legal questions: legal@acilox.com.