Responsible disclosure policy.

This policy applies to the production marketing and research surfaces at aedificeai.com and research.aedificeai.com, to any subdomain of aedifice.ai, and to the production Wren API. It also applies to customer Wren tenants where the customer has granted the researcher written permission to test on that tenant.

Aedifice welcomes reports of vulnerabilities in any of these systems, and will work with a researcher acting in good faith within the limits set out below.

The following are outside the scope of this policy and should not be tested without prior written agreement from Aedifice:

• Third-party integrations and sub-processor surfaces that are not operated by Aedifice, even where they connect to an Aedifice surface.
• Findings that depend on physical access to Aedifice facilities, employee devices, or customer premises.
• Social engineering of Aedifice personnel, customers, or sub-processors.
• Denial-of-service testing, volumetric testing, and testing that degrades the availability of the service for other users.
• Test instances, staging environments, and any environment not listed in section 1.

Reports should be sent to security@aedificeai.com. Sensitive material can be encrypted with the Aedifice PGP key, fingerprint [fingerprint TBD].

Aedifice aims to acknowledge a report within three business days of receipt and to provide an initial triage response, including a severity assessment and an expected remediation window, within ten business days. More involved reports may require additional time, and Aedifice will communicate progress while the investigation is underway.

Aedifice will not pursue legal action against a researcher who acts in good faith within the scope of this policy, who makes a reasonable effort to avoid harm to the service and to customer data, and who gives Aedifice a reasonable opportunity to remediate before any public disclosure.

Aedifice will coordinate with the researcher on the timing of disclosure. The default embargo is ninety days from initial report, and may be extended by mutual agreement for actively-exploited vulnerabilities that require additional time to remediate safely. Where the researcher consents, Aedifice will credit the reporter in the public notice that accompanies a fix.

We do not currently operate a paid bounty program. We recognize contributors publicly with their consent, and we send each valid reporter a letter of acknowledgment they can reference in their professional record. Past contributors, with their permission, are listed on our security hall of fame.

Aedifice reserves the right to introduce a paid program in the future. Any such program will be announced on this page before it takes effect.

Testing must not extract or exfiltrate the data of other customers, must not make persistent modifications to the service, and must not access or modify any real building record. A researcher who encounters customer data in the course of a test should stop, preserve evidence, and report promptly. Continued access or disclosure of such data will take a report outside the safe-harbor commitment in section 4.

Questions about this policy can be directed to security@aedificeai.com. Aedifice may update this policy from time to time. The effective date at the top of the page reflects the most recent update.