Security & Vulnerability Disclosure

Reporting a Vulnerability

Send reports to security@euraika.net. We acknowledge new reports within 72 hours and aim to triage within 7 business days.

Machine-readable contact metadata is published at /.well-known/security.txt per RFC 9116.

Scope

In scope

The Aegis Compliance Command Center application
Deployed Aegis instances under *.euraika.net (production) and *.euraika-labs.net (development/staging)
Companion control-plane apps and Helm charts

Out of scope

Third-party connectors (Jira, Slack, Microsoft 365, Azure, AWS, etc.) — report to the upstream vendor
Hosted dependencies not operated by Euraika
Findings requiring physical access, privileged accounts on the reporter's own workstation, or social engineering of Euraika staff
Denial-of-service findings produced by load testing without prior written authorisation

Response SLA

Acknowledgement: within 72 hours of receipt
Triage: within 7 business days
Fix targets: Critical 7 days · High 30 days · Medium 90 days · Low 180 days

Safe Harbour

Research conducted in good faith and within this policy will not result in legal action from Euraika B.V. Good-faith research targets only in-scope assets, avoids privacy violations and service interruption beyond what is strictly necessary to demonstrate impact, gives Euraika a reasonable opportunity to remediate before public disclosure, and complies with all applicable laws.

Customer data must never be exfiltrated, retained, or shared beyond the minimum needed to prove a finding.

Encryption

A PGP public key for security@euraika.net will be published at /.well-known/pgp-key.txt once key generation and rotation tooling lands. Until then, please use TLS-encrypted email (SMTP STARTTLS or TLS-only relays).

Contact

Aegis Security Team

Euraika B.V., Amsterdam, Netherlands

security@euraika.net