Security & disclosure.

This policy covers all assets operated by validant.ai, including but not limited to:

• validant.ai and any subdomain
• platform.validant.ai and its API surfaces
• Mobile clients distributed under the validant.ai name, once published
• Open-source repositories under github.com/validantai

Report a vulnerability to security [at] validant [dot] ai. For sensitive reports use PGP: our key fingerprint and full key are published at /.well-known/security.txt and on public keyservers.

If you act in good faith, we will too. Specifically, when you report responsibly under this policy, we will:

• Acknowledge your report within 2 business days
• Provide an initial assessment and severity within 5 business days
• Keep you informed of progress at meaningful milestones
• Not pursue or support legal action against you for activity in good-faith compliance with this policy
• Publicly credit you in our security acknowledgements page if you wish (anonymity respected on request)
• Consider eligible reports for our discretionary recognition programme (see "Rewards" below)

To stay within the safe harbour above, please:

• Use only your own accounts, your own data, or test accounts we provision. Do not access, modify or exfiltrate data belonging to anyone else.
• Stop as soon as you have established the existence of a vulnerability. Do not pivot, persist or escalate beyond what is necessary to demonstrate impact.
• Do not run automated scanning at a rate that degrades service. Coordinate sustained scans with us first.
• Do not test denial-of-service, social engineering, physical security or supply-chain attacks on third parties.
• Do not publish or share findings before we have had a reasonable opportunity to fix them (default 90 days; we can extend by mutual agreement for complex issues).
• Comply with all applicable laws, including the Swiss Criminal Code and the laws of your jurisdiction.

The following are not within the scope of this policy and may be rejected without analysis:

• Theoretical vulnerabilities with no plausible impact
• Self-XSS, missing security headers without demonstrated impact, clickjacking on non-sensitive pages
• Reports based purely on automated-scanner output
• Best-practice deviations that are not security vulnerabilities
• Volumetric denial-of-service attacks
• Social engineering of staff, customers or partners
• Physical attacks on our offices, data centres or hardware
• Issues in third-party services we use that should be reported to the third party directly

We currently run a discretionary recognition programme. Bounties are decided case-by-case based on impact (CVSS plus business context), report quality and uniqueness. Critical findings on production assets are typical candidates.

We publish a security acknowledgements page listing researchers who have helped us; it updates after each closed finding (with the researcher's consent).

Trust at validant.ai is engineering as well as documentation. Our standing security practices include:

• Privacy & security by design. Threat modelling and DPIA at the start of every new product surface, not at the end.
• Defence in depth. TLS 1.2+ in transit, AES-256 at rest, tenant isolation, hardware-backed MFA for staff, network segmentation.
• Least privilege. Role-based access, short-lived credentials, just-in-time elevation with audit log.
• Supply-chain hygiene. Dependency review, SBOM generation, signed container images, locked GitHub Actions to commit SHAs.
• Continuous monitoring. Centralised logging, anomaly detection, 24/7 on-call rotation.
• Incident response. Documented runbooks, tabletop exercises, 72-hour breach notification aligned to GDPR Art. 33 and revFADP Art. 24.
• Pen-testing. Third-party assessment at least annually and before material releases. Executive-summary letters are available to customers under NDA via the Trust Center.
• Certifications. Roadmap to ISO/IEC 27001 and SOC 2 Type II. Progress reported on the Trust Center.

We publish a machine-readable contact at the well-known location defined by RFC 9116:

• /.well-known/security.txt

Automated scanners and bug-bounty platforms can use it to find the right contact without guessing.