Responsible Disclosure Policy ============================= At Capston, we encourage the responsible disclosure of security vulnerabilities to help protect our users and systems. Contact ------- - Dedicated address: security@capston.ai - Please include: description, impact, reproduction steps, affected resources, and a minimal proof-of-concept if possible. - Do not include real personal data in your reports. Encryption ---------- - If needed, please encrypt sensitive details using the PGP public key below. PGP Public Key -------------- -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEaKWCoBYJKwYBBAHaRw8BAQdAIY+qCltcKt2o/bpt+AI+BW/5M77s5BvF ZMtbWH5OJqzNH2NhcHN0b25BSSA8c2VjdXJpdHlAY2Fwc3Rvbi5haT7CjAQQ FgoAPgWCaKWCoAQLCQcICZD/ddtq9/AomwMVCAoEFgACAQIZAQKbAwIeARYh BDdliXgMZ5K7MULOx/9122r38CibAABNtwEArs5k+SvsJltzaJ5D5969gZbq Eagjz2QMICs2D5hMbJkA+wT1EOBpROAuu/RUftRTwQnBUoRVxJf3inye3fgu P3sFzjgEaKWCoBIKKwYBBAGXVQEFAQEHQFg+qCJfQSmIkZfV6zUWKm1Q3/2D 0bxDsVBxjI2K2w9KAwEIB8J4BBgWCgAqBYJopYKgCZD/ddtq9/AomwKbDBYh BDdliXgMZ5K7MULOx/9122r38CibAAAwNAD/TN9eGYAhO7Xe1SluN0tcaZx1 tW8TfkaGwFbOxd5/AewBANAstgnCk3R7xOqvLAhELcA6S7h97kzYhpPfi6Nx K9UA =uM7M -----END PGP PUBLIC KEY BLOCK----- Capston Commitments ------------------- - We will acknowledge receipt of your report within 72 business hours. - We will provide an initial assessment and remediation timeline within 10 business days. - We will keep you updated on progress until resolution. - We will publicly credit you (with your consent). Researcher Guidelines --------------------- - Do not exploit vulnerabilities beyond what is necessary to demonstrate impact. - Do not access, alter, or exfiltrate real user data. - Do not use denial-of-service, spam, ransomware, social engineering, or brute force. - Keep vulnerability details confidential until a fix is deployed or explicit permission is granted. In-Scope -------- - Domains: *.capston.ai and official Capston services. - Applications, APIs, and configurations managed by Capston. Out-of-Scope ------------ - Third-party services not operated by Capston. - Non-exploitable findings (SPF/DMARC best practices, banner versions, clickjacking on non-sensitive pages). - Low-risk issues (weak rate-limits, CSRF on non-sensitive endpoints, self-XSS in non-persistent fields). Rewards ------- - No guaranteed bug bounty at this time. Public acknowledgment possible. Safe Harbor ----------- If you act in good faith and comply with this policy: - Capston will not pursue legal action against you for your research. - Your activities will be considered authorized for the sole purpose of vulnerability testing and reporting. - This safe harbor does not cover malicious actions or data breaches. Legal Notice ------------ This policy does not grant unlimited access to Capston systems. Capston reserves the right to update this policy at any time. Applicable laws prevail. Last updated: 2025-08-20