Reporting a vulnerability
Email suspected vulnerabilities to security@generalanalysis.com. A clear, complete report helps us validate and address the issue efficiently. Please include:
- The affected product, system, or page
- A concise description of the vulnerability and its potential security impact
- Step-by-step reproduction instructions, including any prerequisites or required configuration
- Relevant proof of concept, screenshots, or logs, with secrets and unrelated data redacted
- The approximate date and time of testing and any identifiers needed to locate the activity
- Your contact information, unless you prefer to report anonymously
Do not include credentials, personal information, customer data, or other sensitive material beyond what is strictly necessary to demonstrate the issue. If you encounter sensitive information, stop testing and notify us immediately.
Scope
This policy covers good-faith testing of the General Analysis public website and the General Analysis-owned production components of the following products:
- The public website at generalanalysis.com
- Automated AI Red Teaming
- AI Detection and Response
- AI Security Asset Management
- Runtime Guardrails & Observability
Other systems are in scope only when General Analysis identifies them in writing.
Open-source software
We also welcome reports concerning software maintained and published by General Analysis. Test open-source software only in copies and environments you control. Third-party hosting platforms and their infrastructure are not in scope.
Out of scope
Unless General Analysis expressly authorizes testing in writing, the following are out of scope:
- Development, test, staging, preview, and internal systems
- Customer systems, customer-configured targets, customer data, and other tenants
- Third-party services, integrations, model providers, cloud infrastructure, and other systems not operated by General Analysis
- Social engineering of General Analysis employees, contractors, customers, or partners
- Physical locations, offices, and data centers
- Any system or asset not expressly described above
Contact us before testing if you are uncertain whether a product, system, or environment is in scope.
Research guidelines
To remain within this policy, you must conduct research carefully, lawfully, and only to the extent necessary to validate a potential vulnerability:
- Use only accounts, organizations, projects, tenants, and data that you own or have explicit written permission to test
- Do not test customer-configured targets or third-party integrations through General Analysis products
- Avoid disrupting our services, degrading their availability, or generating excessive traffic
- Do not conduct denial-of-service attacks, phishing, spam, physical attacks, or high-volume automated scanning
- Test only as much as necessary to confirm that a vulnerability exists
- Do not establish persistence, escalate privileges unnecessarily, move laterally, or access unrelated systems
- Do not copy, alter, delete, download, retain, or publicly disclose data that does not belong to you
- Stop testing and notify us immediately if you encounter personal, confidential, customer, or other sensitive information
- Report confirmed vulnerabilities promptly and provide us a reasonable opportunity to investigate and remediate them
Activity outside these boundaries is not authorized by this policy.
Safe harbor
We consider security research conducted in good faith and in accordance with this policy to be authorized, and General Analysis will not initiate or support legal action against researchers for such activity.
If you inadvertently exceed this policy, stop testing and contact us promptly so we can evaluate the circumstances in good faith. This safe harbor applies only to systems and legal rights controlled by General Analysis. It does not authorize activity involving third-party systems or conduct that violates applicable law.
What you can expect from us
For reports that contain sufficient information to investigate, we will make reasonable efforts to:
- Acknowledge your report within three business days
- Provide an initial assessment within ten business days
- Request clarification or additional evidence when necessary
- Keep you reasonably informed of remediation progress
- Coordinate disclosure and provide public credit, with your permission, when appropriate
These response periods are targets and may vary with the complexity and severity of the report.
We do not currently offer monetary compensation for vulnerability reports. Submission of a report does not create an entitlement to payment.
Disclosure
Do not publicly disclose a vulnerability before General Analysis has had a reasonable opportunity to investigate and remediate it. We will work with you in good faith to establish an appropriate timeline for coordinated disclosure based on the severity and complexity of the issue.