Cynetix
Security Policy

Responsible Disclosure Policy

Document No. CYN-RD-001  |  Version 1.0  |  April 2026
Cynetix LLC ("Cynetix") is committed to maintaining the security and integrity of our systems and our clients' data. As a cybersecurity firm, we understand the critical role that independent security researchers play in strengthening the broader security ecosystem. This Responsible Disclosure Policy outlines how to report potential vulnerabilities and what you can expect from us in return.
Section 1

Our Commitment

Cynetix values the work of the security research community and welcomes responsible reports of vulnerabilities affecting our systems and services. We believe that coordinated disclosure is the most effective approach to identifying and resolving security issues, and we are dedicated to working collaboratively with researchers who act in good faith.

We recognize that security is a shared responsibility. By establishing a clear and transparent process for reporting vulnerabilities, we aim to foster trust and encourage researchers to help us protect our infrastructure, our clients, and the wider community.

Section 2

Scope

This policy applies to security vulnerabilities discovered in the following assets owned and operated by Cynetix LLC:

  • The primary domain cynetixsecurity.com and all associated subdomains;
  • Web applications and APIs hosted on Cynetix infrastructure;
  • Client-facing portals and reporting platforms operated by Cynetix;
  • Public-facing email and authentication services maintained by Cynetix.

If you are uncertain whether a particular system or service falls within scope, please contact us at contactus@cynetixsecurity.com before conducting any testing.

Section 3

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in any Cynetix system, please report it by sending an email to:

contactus@cynetixsecurity.com

To help us triage and address the issue efficiently, please include the following information in your report:

  • Description: A clear and detailed description of the vulnerability, including the type of issue (e.g., XSS, SQL injection, authentication bypass, information disclosure);
  • Affected Asset: The URL, endpoint, or system component where the vulnerability was identified;
  • Steps to Reproduce: A step-by-step guide that allows our team to reliably reproduce the issue, including any tools, payloads, or configurations used;
  • Impact Assessment: Your assessment of the potential impact and severity of the vulnerability, including any data or systems that could be affected;
  • Proof of Concept: Screenshots, screen recordings, HTTP request/response logs, or other evidence demonstrating the vulnerability;
  • Your Contact Information: A reliable means of reaching you so we can follow up with questions or status updates.

We encourage researchers to encrypt sensitive reports using our PGP key, which is available upon request.

Section 4

What We Ask of Researchers

To ensure that vulnerability research is conducted safely and responsibly, we ask that all reporters adhere to the following guidelines:

  • Do not access, modify, or delete data belonging to other users. If you inadvertently encounter another user's data during testing, stop immediately, do not save or share the data, and include this detail in your report;
  • Do not degrade or disrupt services. Avoid testing methods that could impact the availability, performance, or integrity of our systems for other users;
  • Allow reasonable time for remediation. Give Cynetix a minimum of ninety (90) calendar days from the initial report to investigate and address the vulnerability before any public disclosure;
  • Do not publicly disclose the vulnerability before a fix is deployed or before the agreed-upon disclosure timeline has elapsed, whichever comes first;
  • Act in good faith. Conduct research solely for the purpose of identifying and reporting security issues, not for personal gain, competitive advantage, or malicious intent;
  • Comply with all applicable laws. Your research must be conducted in accordance with all applicable local, state, federal, and international laws and regulations.
Section 5

What We Promise

When you report a vulnerability in compliance with this policy, Cynetix commits to the following:

  • Timely Acknowledgment: We will acknowledge receipt of your report within two (2) business days;
  • Open Communication: We will keep you reasonably informed of our progress as we investigate and remediate the reported issue;
  • Good-Faith Assessment: We will evaluate each report on its technical merits and work diligently to validate and resolve confirmed vulnerabilities;
  • Recognition: With your permission, we will publicly credit you for the discovery. We respect the wishes of researchers who prefer to remain anonymous;
  • No Legal Action: Cynetix will not pursue civil or criminal legal action against researchers who discover and report vulnerabilities in accordance with this policy and the Safe Harbor provisions outlined in Section 7.
Section 6

Out of Scope

The following activities and vulnerability types are explicitly outside the scope of this policy and should not be tested or reported under this program:

  • Social engineering, phishing, or pretexting attacks against Cynetix employees, contractors, or clients;
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks;
  • Physical attacks against Cynetix offices, facilities, data centers, or equipment;
  • Vulnerabilities in third-party services, libraries, or platforms not owned or controlled by Cynetix;
  • Attacks requiring physical access to a user's device or account;
  • Automated vulnerability scanning that generates excessive traffic or may degrade services;
  • Spam, email flooding, or abuse of contact forms and messaging systems;
  • Reports of missing security headers, SSL/TLS configuration details, or other low-severity informational findings without a demonstrated exploit path.
Section 7

Safe Harbor

Cynetix considers security research conducted in accordance with this policy to be authorized, lawful, and protected activity. We commit to the following Safe Harbor provisions:

  • We will not initiate or support legal action against researchers who discover and report vulnerabilities in good faith and in compliance with this policy;
  • We will consider research activities conducted consistent with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and any analogous state or international laws;
  • We will not file complaints against researchers with law enforcement agencies for activities conducted under this policy;
  • If a third party initiates legal action against a researcher for activities conducted under this policy, we will take reasonable steps to make it known that the researcher's actions were authorized by Cynetix.

This Safe Harbor applies only to legal claims under Cynetix's control and does not bind independent third parties. If at any point during your research you are uncertain whether your conduct complies with this policy, please contact us at contactus@cynetixsecurity.com before proceeding.

Section 8

Contact

For all security vulnerability reports and questions regarding this policy, please contact us at:

  • Email: contactus@cynetixsecurity.com
  • Subject Line: Responsible Disclosure — [Brief Description]

We appreciate your contribution to the security of our systems and the broader community. Researchers who act in good faith are a vital part of the cybersecurity ecosystem, and we are grateful for your efforts.

Thank You Cynetix LLC is grateful to the security research community. Your efforts make our systems stronger and our clients safer. If you have any questions about this policy or your eligibility to participate, please do not hesitate to reach out.
© 2026 Cynetix LLC
Cyber Intelligence & Network Defense