Vulnerability Disclosure Policy

1. Our Commitment

Umbrella Research takes the security of AfterLight and our users’ data seriously. We welcome responsible disclosure of security vulnerabilities from the research community and the public.

2. Scope

This policy covers vulnerabilities in:

• AfterLight application (api.umbrella-research.org) • Umbrella Research website (umbrella-research.org) • Associated APIs and services

Out of scope:

• Third-party services we use (OpenAI, Google Cloud, Cloudflare) — please report to those providers directly • Social engineering attacks against our team • Denial of service attacks • Spam or phishing

3. How to Report

Please report security vulnerabilities to security@umbrella-research.org. Include:

• A description of the vulnerability and its potential impact • Steps to reproduce the issue • Any supporting evidence (screenshots, logs, proof of concept) • Your contact information for follow-up

Please do not include sensitive user data in your report. If the vulnerability involves user data, describe the access path without extracting actual data.

4. What to Expect

• Acknowledgment of your report within 3 business days • An initial assessment within 10 business days • Regular updates on the status of your report • Notification when the vulnerability is resolved

We are a small research team and response times may vary. We appreciate your patience and will keep you informed throughout the process.

5. Safe Harbor

We will not take legal action against researchers who:

• Act in good faith to avoid privacy violations, data destruction, or service disruption • Do not access or modify other users’ data • Do not perform destructive testing • Report vulnerabilities promptly and provide reasonable time for remediation • Do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them

6. What We Ask

• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue • Do not access, modify, or delete other users’ data • Do not perform actions that could degrade service availability • Allow reasonable time for remediation before any public disclosure • Do not use automated scanning tools against production services without prior coordination

7. Recognition

We believe in recognizing security researchers who help improve our security. With your permission, we will acknowledge your contribution. We do not currently offer a paid bug bounty program.

8. Contact

Security reports: security@umbrella-research.org

For non-security inquiries, please use our contact form at umbrella-research.org or email privacy@umbrella-research.org.