Vulnerability Disclosure Policy

Guidelines for responsibly reporting security vulnerabilities in our platform

Security First: Protecting Legal Education Infrastructure

Introduction

At Corporate Law Insights & Analysis, we take the security of our platform seriously. We recognize the importance of security research and encourage responsible disclosure of security vulnerabilities. This Vulnerability Disclosure Policy outlines our approach to receiving and addressing security vulnerability reports.

Responsible Disclosure

We are committed to working with security researchers to verify, reproduce, and address security vulnerabilities in a responsible manner. We appreciate the efforts of security researchers who help us keep our platform secure for all users.

Scope

The following systems and services are in scope for vulnerability disclosure:

In Scope

  • https://insights.alexispath.com/ (Primary domain)
  • All subdomains under alexispath.com
  • Web application security vulnerabilities
  • API security issues
  • Authentication and authorization flaws
  • Data exposure vulnerabilities
  • Cross-site scripting (XSS)
  • SQL injection vulnerabilities
  • Cross-site request forgery (CSRF)

Out of Scope

  • Social engineering attacks
  • Physical security testing
  • Denial of Service (DoS/DDoS) attacks
  • Email spoofing/phishing
  • Third-party applications not under our control
  • UI/UX bugs not related to security
  • Missing security headers without proof of exploit
  • Theoretical vulnerabilities without proof of concept

Safe Harbor

We commit to providing a safe harbor for security researchers who follow this policy:

Safe Harbor Provisions

We will not initiate legal action against security researchers for:

  • Conducting security research in accordance with this policy
  • Making good faith efforts to avoid privacy violations
  • Minimizing disruption to our services
  • Reporting vulnerabilities promptly after discovery
  • Keeping vulnerability details confidential until we've addressed them

Legal Protection

Activities conducted outside this policy's scope, or that intentionally cause harm, are not covered by safe harbor provisions and may result in legal action.

Reporting Process

To report a security vulnerability, please follow these steps:

1

Discovery & Documentation

Identify the vulnerability and document clear steps to reproduce it. Include screenshots, videos, or proof-of-concept code where applicable.

2

Responsible Reporting

Submit your report via email to security@alexispath.com. Include all relevant details and do not disclose the vulnerability publicly.

3

Initial Response

We will acknowledge receipt of your report within 48 business hours and begin our investigation.

4

Collaboration & Fix

We'll work with you to understand and verify the vulnerability, then develop and deploy a fix.

Reporting Guidelines

When reporting vulnerabilities, please adhere to these guidelines:

Do's

  • Test only on your own accounts or with explicit permission
  • Use the dedicated security email for all communications
  • Include detailed steps to reproduce the vulnerability
  • Provide your contact information for follow-up
  • Allow reasonable time for us to address the issue
  • Keep vulnerability details confidential until resolved

Don'ts

  • Do not access or modify other users' data without permission
  • Do not perform denial of service attacks
  • Do not use automated scanners on production systems
  • Do not publicly disclose vulnerabilities before we fix them
  • Do not demand compensation for vulnerability reports
  • Do not violate laws or regulations during testing

Response Timeline

We are committed to addressing security vulnerabilities promptly:

Initial Response

We acknowledge receipt of vulnerability reports within 48 business hours.

Within 2 business days
Investigation & Validation

Our security team investigates and validates reported vulnerabilities.

Within 5 business days
Remediation Development

If valid, we develop and test a fix for the vulnerability.

Within 15 business days
Deployment & Notification

We deploy the fix and notify the reporter of resolution.

Within 30 business days

Timeline Note

Complex vulnerabilities may require additional time. We will keep you informed of our progress throughout the process.

PGP Encryption

For sensitive vulnerability reports, you may encrypt your communications using our PGP key:

Security Team PGP Key

Key ID: 0xABCD1234EF567890

Fingerprint: 1234 ABCD 5678 EF90 1234 ABCD 5678 EF90 1234 ABCD

Expires: January 23, 2027

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF6L8gEBEACzT8[... truncated for display ...]
=ABCD
-----END PGP PUBLIC KEY BLOCK-----

Download full PGP key from: https://insights.alexispath.com/pgp-key.asc

Legal Disclaimer

This Vulnerability Disclosure Policy is provided for informational purposes:

Legal Notice

This policy does not create any legal obligations or contractual rights. We reserve the right to modify this policy at any time. By submitting a vulnerability report, you agree that we may use the information provided to address security issues without obligation to you.

Compliance with Laws

Security testing must comply with all applicable laws, including but not limited to the Information Technology Act, 2000 (India) and similar legislation in your jurisdiction. Unauthorized testing may constitute a violation of computer fraud and abuse laws.

Security Contact

For security vulnerability reports and related communications:

security@alexispath.com

Response Time: Within 48 business hours