Responsible Disclosure Policy

Last updated: 2026-05-26 · This policy is in force as of the date above and is reviewed periodically.

1. Purpose

Astrael takes security seriously. This policy describes how security researchers should report vulnerabilities in our products and infrastructure, and what we commit to in return. Modelled on the industry-standard responsible-disclosure framework used by Anthropic, GitHub, and other AI infrastructure providers.

2. Scope of systems

In scope

• astrael.ai and its subdomains (*.astrael.ai)
• api.astrael.ai (when made public)
• The Astrael web application served from the production branch (Next.js · Vercel)
• The Astrael Supabase backend (Postgres · auth · storage · realtime)
• The StarRegistry / StarCertificateNFT smart contracts on Polygon and Ethereum mainnet (verified source on the public block explorers)

Out of scope

• Third-party services we depend on (Stripe, Supabase, Vercel, Anthropic, Mapbox, LiveKit, D-ID, Together.ai, Resend) — report those to the respective vendor; we will help you triage.
• General SSL/TLS hardening reports without a working proof-of-concept.
• Rate-limiting reports on unauthenticated endpoints.
• Physical intrusion, social engineering, phishing.
• Denial-of-service attacks (do not perform).
• Account-takeover by brute force.
• AI model red-teaming and jailbreaks — please report those to usersafety@astrael.ai (the safety channel), not this one.
• Reports against zero-day vulnerabilities with no public patch, or with a patch released less than 30 days ago.

3. Scope of vulnerabilities

Examples of in-scope issues:

• SQL injection · cross-site scripting (XSS) · cross-site request forgery (CSRF) · SSRF · directory traversal
• Privilege escalation · authentication bypass · IDOR
• Smart-contract logic errors that could lead to unauthorized minting, transfer, or denial of service
• Supabase RLS policy bypasses that would let one user read or modify another user's private data
• Stripe webhook signature bypass, replay, or amount tampering
• Leakage of API keys, signing keys, or private keys in client-side bundles or public commits

4. How to submit a report

Send a single email to disclosure@astrael.ai with:

1. A description of the vulnerability.
2. Steps to reproduce (ideally with proof-of-concept code or a curl invocation).
3. The impact (what an attacker can do; affected user counts if estimable).
4. Your name (or pseudonym) and any contact / payment details if you want public credit or a future bounty (not currently offered but acknowledgement is published).

Encrypted submissions are welcome. Our PGP key fingerprint will be published at /.well-known/security.txt (planned).

Do not open public GitHub issues for security reports. Do not share details on social media until we have rolled out a fix.

5. What you can expect from us

• Acknowledgement within three (3) business days that we have received your report and are triaging it.
• Best-effort updates as we investigate. We will not silently sit on a credible report.
• A patch within a timeline appropriate to severity (target: critical < 7 days · high < 30 days · medium < 90 days).
• Public credit on our security page after the fix lands, if you consent. We will not name you without permission.

6. Safe harbor

If you make a good-faith effort to comply with this policy, we will:

• Not pursue legal action against you under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) anti-circumvention provisions, or analogous laws in your jurisdiction, for any research conducted in accordance with this policy.
• Not initiate or support a complaint against you with law enforcement, except as required by an enforceable legal order.
• Protect your identity as a researcher unless legally required to disclose it.

Safe harbor applies when you:

• Test only against accounts you own or have explicit permission to test.
• Avoid privacy violations, data destruction, and any interruption of our service.
• Avoid social engineering of our staff.
• Minimize data exfiltration to what is strictly necessary to demonstrate the vulnerability — preferably none.
• Do not extort, threaten, or condition disclosure on payment.
• Are not on a U.S. OFAC sanctions list and do not reside in a country subject to U.S. comprehensive sanctions.
• Comply with all other applicable laws.

7. Bounties

We do not currently operate a paid bug-bounty program. When we launch one, this policy will be updated and the program details will be published. In the interim, qualifying reporters receive public credit and, where appropriate, Astrael product credit (non-monetary).

8. Changes to this policy

We may update this policy as our infrastructure and the threat landscape evolve. The most current version is the one posted here.

9. Contact

• Reports: disclosure@astrael.ai
• AI safety / jailbreak issues: usersafety@astrael.ai
• General security questions: security@astrael.ai

This document is platform-drafted and pending counsel review.