Legal
Security
How to report vulnerabilities and what we protect in the Aegis platform.
Salanor builds Aegis as a signed provenance layer for production AI agents. We treat security reports from customers and researchers as part of operating the product, not as a distraction.
Report a vulnerability
Email security@salanor.com with:
- A clear description and impact assessment
- Steps to reproduce on the latest production or stated pilot environment
- Your preferred contact and disclosure timeline
For coordination without exposing details in email, use the contact form with topic Security disclosure and ask for encrypted follow-up.
Automated tools should read /.well-known/security.txt (RFC 9116).
What we protect
- Integrity of APS-1 events — Ed25519 signatures, per-agent hash chains, and optional Merkle transparency proofs
- Tenant isolation — organization-scoped data paths in API and console
- Authentication — password hashing, session cookies, OAuth and enterprise SSO where enabled
- Operational access — Platform Ops actions audited; production access on a least-privilege basis
Out of scope
Clickjacking on marketing pages without demonstrated impact, missing security headers without exploit, and social engineering are generally out of scope. Do not test against customer tenants you do not own.
Safe harbor
We will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure. We do not operate a paid bug-bounty program during the design-partner phase; we acknowledge valid reports within five business days when possible.