Responsible Disclosure
Our commitment
Security researchers and well-meaning users find issues that internal review misses. We want to hear from you. If you discover a vulnerability in Hyperaxis (the gateway product), in Nexuscone (the open-source cryptographic substrate at github.com/aperintel/nexuscone), or in the hyperaxis.co.uk landing page, please report it responsibly. We commit to:
- Acknowledge your report within one business day
- Provide a triage assessment within five business days
- Fix critical issues within thirty days of triage
- Credit researchers who report in good faith (your name, handle, or anonymous, your choice) on a public acknowledgements list, and notify you when the fix ships
- Not pursue legal action against researchers who follow this policy
How to report
Email security@aperintel.com with a clear description of the vulnerability, reproduction steps, the affected surface (e.g., hyperaxis.co.uk, Nexuscone library, gateway API), the impact you assess, and any supporting material (screenshots, PoC code). If your report contains sensitive material, request the PGP public key in your first email and we will return it within one business day.
Scope
In scope:
- hyperaxis.co.uk and its subpages (landing site)
- verify.hyperaxis.co.uk (public verifier, once live)
- app.hyperaxis.co.uk (gateway dashboard, once live)
- The Nexuscone library on PyPI and the source at github.com/aperintel/nexuscone
- Any subdomain on hyperaxis.co.uk or hyperaxis.ai we operate
Out of scope:
- Findings against third-party services we use (Vercel, Microsoft Azure, Supabase, Upstash, Resend, ImprovMX) where the issue is in the third-party platform itself, not our use of it. Please report those to the vendor's security team directly.
- Social engineering attacks against Aperintel staff
- Physical security of any premises
- Denial of service (DoS) testing without prior written agreement
- Findings that require credentials we did not give you (account takeovers via leaked passwords, etc.)
Vulnerability categories of particular interest
We are especially interested in:
- Anything that breaks audit-chain tamper-evidence (forging an entry that the verifier accepts as valid)
- Anything that allows cross-tenant data access
- Authentication or authorisation bypass on app.hyperaxis.co.uk
- Cryptographic flaws in signature verification, anchor proof handling, or hash-chain construction
- Server-side request forgery or injection attacks against the gateway
- Anything affecting PII handling in the redaction guardrails
Safe harbour
Research conducted in good faith under this policy will not be the subject of any legal action by Aperintel, including under the UK Computer Misuse Act 1990. Specifically: we will not pursue civil claims for accessing our systems while following this policy, we will not initiate criminal complaints over your report, and we will not initiate or comply with overbroad subpoenas seeking identifying information about you. This safe harbour applies only to actions that follow the scope and conduct expectations on this page.
Bounty
We do not run a paid bug bounty programme yet. Once we do, this page will be updated with the bounty terms. Until then we credit researchers publicly and we are happy to provide a written acknowledgement that can be included in a CV or a security-research portfolio.
Coordinated disclosure timing
Default disclosure window is ninety days from initial report. If the vulnerability is critical and we are still patching at day ninety, we will request an extension with a clear reason. We commit to publishing the fix and crediting the researcher on the same day the patch ships.
Hall of fame
Once a vulnerability has been responsibly reported and patched, the researcher's credit is listed here unless they choose to remain anonymous. This list currently empty; we look forward to building it.
Contact
security@aperintel.com · PGP public key available on request · General questions: hyperaxis@aperintel.com.