Responsible disclosure policy

At SplxAI, we take security issues very seriously and recognize the importance of privacy, security, and community outreach. Our mission is to work with third parties (including our customers, the AI community, and others) to improve the security and quality of the systems that power their business functions.

SplxAI’s disclosure program is designed to support victim organizations in reducing the costs and impacts of data breaches and cybersecurity threats. We firmly believe that organizations with access to advanced AI attack techniques and vectors have a duty to share this crucial information with affected parties, independent of any sales or marketing activities.

This policy outlines our process for reporting and disclosing security vulnerabilities discovered in third-party products and services. When a vulnerability is identified, SplxAI will make diligent efforts to exchange PGP keys for encrypted email. If a secure communication is created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If SplxAI does not receive a response to our attempt to establish a secure communication channel within seven days, we will then send a description of the vulnerability to the vendor via plain text email.

Vulnerability disclosure timeline and communication process

Day 0

  • Initial vendor contact

  • Provide vulnerability description

Day 7

  • Second attempt to contact the vendor due to no response to initial communication

Day 21

  • Third attempt to contact the vendor with the release date of the vulnerability report

Day 30

  • Final attempt to contact the vendor due to lack of response or communication halt

Day 90

  • Disclosure of the vulnerability report on the SplxAI research blog

  • If the vendor releases a patch or fix before 90 days, SplxAI will immediately disclose the full vulnerability report after the release

  • CVE publication request submitted to MITRE

Note: If the 90-day default timeline is insufficient for creating a patch or other mitigation, adjustments to disclosures and timelines may be made as needed. This consideration applies only in cases where there is healthy communication with the vendor, who is actively working to remediate the vulnerability but requires additional time. However, if communication deteriorates, responses are infrequent, or there is a lack of genuine effort to resolve the issue, we may be obligated to disclose the vulnerability for the protection of the user base and community.

Understanding Responsible Disclosure

Responsible Disclosure (RD) means sharing vital security information with affected organizations to help protect their users and employees. Our RD team, part of SplxAI’s research group, actively works with these organizations to provide them with identified data and vulnerabilities. This ensures they can address and fix any potential exposures caused by the release of this information.

The Importance of SplxAI’s Responsible Disclosure Program

Collaboration

A key advantage of our RD program is the collaboration it fosters with cybersecurity teams at other companies. These interactions often give us unique insights into threat actors, data, and trends in criminal and fraudulent activities targeting their industries. This cooperation enhances our understanding of the disclosed data and helps build lasting partnerships with cybersecurity and AI teams across various organizations. Importantly, we never use the information obtained for commercial purposes unless explicitly authorized by the affected organizations.

Ensuring Internet Safety

Responsible Disclosure (RD) is essential to our mission of improving internet safety. Our RD team conducts white-hat DAST manual testing to find vulnerabilities, breaches, leaks, and stolen data. We notify affected organizations, prioritizing those offering public services, part of critical infrastructure, or facing significant downstream risks like supply chain impacts, regardless of whether they are our customers.

Following Legal Guidelines

Our RD program adheres to Department of Justice guidelines for collecting and recovering stolen data. We comply with the Computer Fraud & Abuse Act, ensuring no unauthorized access to third-party systems. We inform data owners about their data and return it without any conditions. SplxAI proactively contacts affected organizations, whether they are customers or not.

Responsible Disclosure: Dos and Don’ts

We’ve defined some best practices – as well as practices to avoid – that we’ve found to be helpful along the way in building SplxAI’s RD program.

Dos

  • Verify data. Ensure the data is accurate and reproducible. We avoid notifying organizations about breaches that are already public knowledge or widely covered in the news.


  • Provide clear information. When notifying, include:

    • A brief summary of the data, such as file types, number of records, and data types.

    • The raw data, with sensitive information encrypted.

    • Any restrictions on sharing the data. Generally, the data belongs to the affected organizations, so they control its use.


  • Use trusted contacts. Ideally, reach out through trusted contacts within the affected organization’s cybersecurity team. If that’s not possible, use reputable organizations like Information Sharing and Analysis Centers or National CSIRTs. As a last resort, contact them directly via their website or LinkedIn, ensuring the contact is valid. Direct communication with cybersecurity or IT teams avoids delays and ensures the issue is handled swiftly.

Don'ts

  • Don’t mix RD with sales. Keep RD separate from sales or marketing. Our RD team operates independently to ensure notifications are seen as credible and not sales tactics.

Our focus remains on collaborating with fellow researchers and the security community to assist victims as we expand our RD program. If you have any questions, please reach out to us at disclosure@splx.ai, and a team member will respond promptly.