Security & Vulnerability Disclosure

We take security seriously. Report vulnerabilities so we can investigate and remediate quickly.

Last updated: January 20, 2026

We take security seriously. If you believe you've found a vulnerability in an Athencia system, please report it so we can investigate and remediate quickly.

How to Report

Response targets: we aim to reply within 3 business days and triage within 7 days. We'll keep you informed as we work toward a fix.

We do not operate a paid bug bounty at this time.

Safe Harbor (Good-Faith Research)

If you follow this policy, act in good faith to avoid privacy harm or service disruption, and report promptly, Athencia will:

  • Consider your research authorized under this policy.
  • Not pursue legal action or law-enforcement referrals for your research.
  • Work with you to understand and resolve the issue.

This safe harbor applies only to good-faith, policy-conformant research on in-scope assets (below).

Scope

In scope:

  • athencia.one and Athencia-owned subdomains (e.g., marketing pages, public forms, and endpoints we list here in future updates).

Out of scope (please don't test):

  • Social engineering (phishing, vishing, smishing) of Athencia staff, customers, or partners.
  • Physical security, spam, or DDoS/volumetric attacks.
  • Third-party platforms we don't control (including hosting, CRM, or SaaS vendors).
  • Automated scanning that degrades service or generates excessive traffic.
  • Accessing, modifying, or exfiltrating data you don't own.

Testing Guidelines

  • Use test accounts and data you own; don't access real customer data.
  • Limit PoCs to what's necessary to demonstrate impact.
  • Avoid privacy violations or service interruptions.
  • Respect rate limits and stop testing if you encounter live, sensitive data. Report immediately.

What We'd Like to See in a Report

A high-quality report typically includes:

  • Affected asset/URL and vulnerability type.
  • Reproduction steps with clarity (copy/paste commands where helpful).
  • Realistic impact and severity assessment.
  • Suggested remediation ideas, if any.

Our Security Baselines

  • TLS everywhere with modern configurations and security headers where applicable.
  • Email authentication (SPF, DKIM, DMARC) on company domains.
  • Principle of least privilege, MFA/Conditional Access, and encrypted data at rest where supported.
  • Vulnerability management and prompt patching for supported systems.

Last updated: January 20, 2026.