Vulnerability Disclosure.

1. How To Report

Email security@seifertdynamics.com with subject line [SECURITY] followed by a one-line summary.

PGP encryption is supported and recommended for high-severity findings. Request the current public key in your first message and we will reply with the fingerprint within one business day.

Include: affected asset (URL or component), reproduction steps, impact assessment, and (if possible) a CVSS v3.1 vector. Screenshots and PoC scripts welcome; please do not embed binaries unless requested.

2. Service Levels

Acknowledgment: one (1) business day from receipt.

Triage & severity assessment: five (5) business days. We classify findings against CVSS v3.1 and our internal impact taxonomy.

Status updates: at least every seven (7) calendar days until the finding is closed.

Coordinated disclosure window: ninety (90) days from triage, extendable by mutual agreement where remediation requires longer.

3. Scope

In scope: production systems operated by Seifert Dynamics — including seifertdynamics.com, atlas.seifertdynamics.com, argus.seifertdynamics.com — and the Atlas and Argus platform binaries we distribute.

Out of scope: third-party services we link to or rely on (e.g., Google reCAPTCHA, hosting providers); social-engineering tests against personnel, customers, or partners; physical attacks; denial-of-service or load testing; brute-force attacks on accounts; findings requiring physical access to a staff device; spam or volume-only findings.

Customer deployments (private Atlas / Argus instances inside a customer boundary) are not in scope of this policy and should be addressed under the customer's deployment agreement and its own VDP.

4. Safe Harbor

Seifert Dynamics will not initiate or support legal action against you for good-faith security research that complies with this policy. We consider research "good faith" when you:

(i) access only what is necessary to identify the vulnerability; (ii) avoid actions that could harm Seifert Dynamics, customers, or third parties (no destructive testing, no data destruction, no privacy violations); (iii) do not exfiltrate, retain, or share data beyond a single proof-of-concept; (iv) do not extort, threaten, or publicly disclose before the coordinated window closes; (v) report through the channel above as soon as practicable.

Compliance with this section is determined in good faith by Seifert Dynamics. Activities outside the safe harbor remain subject to applicable law, including the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

5. Authorization

This policy provides authorization to conduct security research on the in-scope systems within the bounds stated above. Authorization does not extend to systems not enumerated as in-scope, to third-party services, or to actions that are inconsistent with this policy.

6. Recognition

We do not currently operate a paid bug-bounty program. We do publish security notes for fixed findings (with researcher credit by default — anonymity available on request) and maintain a private acknowledgments roster.

If your finding has direct national-security implications, we coordinate with the appropriate CSIRT (CISA, US-CERT, sector-ISAC) under the same timelines.

7. Contact

Reports: security@seifertdynamics.com. Policy questions: legal@seifertdynamics.com.

Last updated: 2026.