Security Disclosure Policy
Last updated: June 30, 2026
Summary: We welcome good-faith security reports. Contact security@hardalion.com with details. Do not access data that is not yours or disrupt production systems.
1. Scope
This policy covers security vulnerabilities in Hardalion-owned websites, APIs, and services listed on hardalion.com and docs.hardalion.com. It does not cover third-party services we integrate with unless explicitly in scope.
2. How to report
Email security@hardalion.com with:
- Description of the issue and potential impact
- Steps to reproduce
- Affected URLs, endpoints, or components
- Your contact information (optional PGP key welcome)
We aim to acknowledge reports within 5 business days and will work with you on coordinated disclosure when appropriate.
3. Safe harbor
If you conduct research in good faith according to this policy - including avoiding privacy violations, data destruction, and service degradation - Hardalion will not pursue legal action against you for your research activities. This safe harbor does not apply if you violate law or access data beyond what is necessary to demonstrate the vulnerability.
4. Out of scope
- Social engineering or phishing against employees or customers
- Physical attacks against facilities or personnel
- Denial-of-service or load testing without prior written approval
- Issues in third-party software without a demonstrable impact on Hardalion
- Reports from automated scanners without verified exploitability
5. Recognition
We may acknowledge researchers who report valid, previously unknown issues at our discretion. We do not operate a public bug bounty program at this time unless separately announced.
6. Product security
For an overview of our security architecture and practices, see Architecture & Security.