Responsible Disclosure Policy

Last updated: May 5, 2026

1. Authorized Activity Only

CYBER PHYLAX supports responsible, lawful, and documented security work. Assessment activity must be explicitly authorized by the asset owner or an authorized representative and governed by an approved scope, NDA, and Rules of Engagement.

2. Reporting Security Issues

If you believe you have identified a security issue affecting CYBER PHYLAX or an approved assessment workflow, report it promptly to security@cyberphylax.com.

3. Safe Harbor Conditions

Good-faith security research is considered authorized only when it avoids privacy violations, service disruption, data destruction, lateral movement, persistence, social engineering, extortion, and access to data beyond what is strictly necessary to prove the issue.

4. Coordinated Disclosure

Do not publicly disclose vulnerability details until CYBER PHYLAX has acknowledged the report, assessed impact, and had reasonable time to remediate or coordinate with affected parties.

5. Exclusions

• Denial-of-service or resource exhaustion testing.
• Physical attacks, phishing, social engineering, or harassment.
• Automated high-volume scanning without written approval.
• Accessing, modifying, deleting, or exfiltrating data that is not yours.
• Use of stolen credentials, malware, persistence, or destructive payloads.

6. No Guarantee of Reward

This policy is not a bug bounty program and does not create an obligation to provide compensation.