Vulnerability Disclosure Policy & Bug Bounty Program

This policy covers reporting vulnerabilities to Delphos Labs. If you are a vendor responding to a vulnerability report from our research team, please contact us at vuln-disclosure@delphoslabs.com.

Introduction

Delphos Labs is committed to ensuring the security of our platform, our customers, and the broader security community. Our platform automates reverse engineering to identify security flaws within binary files, including finding vulnerabilities. We believe that working together with security researchers and the community is essential to maintaining a secure environment for everyone.

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences for submitting discovered vulnerabilities to us. We encourage you to contact us to report potential vulnerabilities in our systems.

Security is essential to Delphos Labs' mission. We appreciate the contributions of ethical hackers who help us uphold high privacy and security standards for our users and technology. This policy outlines our definition of good faith regarding the discovery and reporting of vulnerabilities, and clarifies what you can expect from us in return.

Guidelines

Under this policy, "research" means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
• Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
• Do not submit a high volume of low-quality reports
• Follow this policy and any other relevant agreements
• Keep vulnerability details confidential until authorized for release by Delphos Labs' security team (we aim to provide authorization within 90 days of report receipt)

Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test Methods

The following test methods are not authorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
• Tests that exhaust system resources
• Automated scanning tools that generate significant amounts of traffic
• Introduction of malware
• Tests involving deletion, modification, or access of data without explicit permission
• Tests that probe, scan, or test the vulnerability of systems outside of the defined scope
• Attacks that may degrade, disrupt, or negatively impact services or user experience
• Attacks stemming from stolen or leaked credentials
• Intentional access to data beyond the minimum necessary to demonstrate a vulnerability

Scope

This policy applies to the following systems and services:

• https://delphoslabs.com/
• The Delphos Labs binary analysis platform
• Our public APIs and documentation
• Our public-facing website
• Code interpreters and sandboxed execution environments

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren't sure whether a system is in scope or not, contact us at security@delphoslabs.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

AI-Specific Security Guidelines

While Delphos Labs is focused on AI technology, we recognize the unique security challenges that AI systems present. When testing our AI systems, researchers should be aware of the following:

In Scope for AI-Related Testing:

• Security vulnerabilities in the AI model serving infrastructure
• Methods to extract or access model weights without authorization
• Authentication/authorization bypass in AI APIs
• Access control issues allowing unauthorized model access or manipulation
• Unauthorized access to confidential training data
• Server-side vulnerabilities in our model deployment pipelines
• Side-channel attacks against our AI systems
• Supply chain vulnerabilities in AI components
• Race conditions in model serving infrastructure
• Infrastructure vulnerabilities in our machine learning environments

Out of Scope for AI-Related Testing:

• Content-based attacks and jailbreaks of model behavior
• Prompt injection that causes the model to respond with unintended content
• Getting the model to generate harmful, unethical, or biased content
• Model hallucinations or inaccuracies
• Theoretical attacks without proof of exploitation
• Sandboxed code execution (when this is an intended feature)
• Issues related purely to model performance or accuracy

If you discover a legitimate security vulnerability in our AI systems, we encourage you to report it according to our guidelines. We are particularly interested in vulnerabilities that could lead to unauthorized access, data exposure, or system compromise.

Reporting a Vulnerability

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Delphos Labs, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports via email at security@delphoslabs.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 7 business days.

For particularly sensitive information, we support PGP-encrypted emails. Our public key is available at https://delphoslabs.com/gpg-key.txt.

By submitting a vulnerability, you acknowledge that you have no expectation of payment from Delphos Labs unless it is a qualifying submission under our Bug Bounty Program (see details below).

What We Would Like to See From You

In order to help us triage and prioritize submissions, we recommend that your reports:

• Describe the location the vulnerability was discovered and the potential impact of exploitation
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful)
• Include the version number of affected software/systems and any configuration required to reproduce
• Submit reports in English, if possible
• Include your name and contact information if you would like to be eligible for our Bug Bounty rewards

Required Evidence and Format

A complete vulnerability report should contain:

1. Summary: A clear, concise description of the vulnerability.
2. Technical Details: Precise technical explanation of the security issue.
3. Impact Assessment: Description of the potential security impact and affected users.
4. Proof of Concept: Working demonstration or clear steps to reproduce the issue.
5. Severity Assessment: Your assessment of the severity (and CVSS score if applicable).
6. Mitigation Suggestions: Optional recommendations for addressing the vulnerability.
7. Supporting Materials: Screenshots, videos, or code samples that help illustrate the issue.
8. System Environment: Details of the environment used during testing (browser version, operating system, etc.).

Reports lacking sufficient information to reproduce the issue may be deprioritized or closed until more details are provided.

Responsible Testing Environments

Whenever possible, we strongly encourage researchers to:

• Use test accounts rather than production accounts for testing
• Create dedicated test accounts if you need to verify user-specific functionality
• Clearly mark any test accounts with "SECURITY TEST" in the profile information
• Use the staging or development environments if they are available
• Minimize testing during peak business hours for functionality that could impact system performance
• Inform us before conducting any tests that might affect system availability or integrity

Duplicate Submissions

In the case of duplicate vulnerability reports, we follow these guidelines:

1. The first researcher to submit a specific vulnerability that we can successfully reproduce will receive credit and any applicable reward.
2. Timestamp of the initial submission is the primary factor in determining priority.
3. If multiple reports of the same vulnerability are received within a 24-hour period, preference will be given to the most complete and detailed report.
4. Subsequent reports of the same vulnerability may receive acknowledgment but will not be eligible for rewards.
5. Reports that identify additional impact or exploitation methods for a previously reported vulnerability may be considered unique if they significantly change our understanding of the risk.
6. We reserve the right to make the final determination on what constitutes a duplicate finding.

Confidentiality Requirements

When participating in our vulnerability disclosure program:

1. All vulnerability details should be considered confidential until explicitly authorized for public disclosure by Delphos Labs.
2. For particularly sensitive vulnerabilities, we may ask you to sign a non-disclosure agreement before sharing detailed information.
3. Do not share any details about the vulnerability with third parties, including:
   • Other security researchers
   • Media organizations
   • Social media platforms
   • Other companies or organizations
4. We request a minimum 90-day disclosure window from the time of your report to allow for proper assessment and remediation.
5. After a vulnerability has been fixed, please consult with us before publishing any details to ensure no sensitive information is inadvertently disclosed.
6. We may request extended confidentiality for critical vulnerabilities that require coordinated disclosure across multiple affected parties.

Terms of Service Integration

This Vulnerability Disclosure Policy operates alongside our Terms of Service but does not override or replace them. Security research conducted under this policy must still comply with our Terms of Service, available at https://delphoslabs.com/terms.

Where conflicts exist between this policy and our Terms of Service regarding security research activities, the Terms of Service take precedence. Any security testing that goes beyond the scope outlined in this policy may constitute a violation of our Terms of Service and applicable laws.

By submitting vulnerability reports to Delphos Labs, you acknowledge that you have read and agree to both this policy and our Terms of Service.

What You Can Expect From Us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 7 business days, we will acknowledge that your report has been received
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution
• We will maintain an open dialogue to discuss issues
• We will work to remediate discovered vulnerabilities within 90 days or less
• Once a vulnerability has been resolved, we welcome you to disclose the vulnerability details with our explicit approval

Bug Bounty Program

In addition to our Vulnerability Disclosure Policy, Delphos Labs offers a Bug Bounty Program for qualifying security vulnerabilities. This program is designed to incentivize security researchers to help us improve our security posture.

Reward Structure

Delphos Labs evaluates each vulnerability submission individually based on several factors, including:

• Severity of the vulnerability
• Potential impact on our systems and users
• Quality and completeness of the report
• Novelty of the vulnerability
• Difficulty of exploitation

At our discretion, we may offer monetary rewards for significant vulnerabilities that help us improve our security. We do not publicly commit to specific reward amounts, as each submission is evaluated on its own merits. Rewards are determined by the Delphos Labs security team after thorough assessment of the reported vulnerability.

Examples of Qualifying Vulnerabilities:

• Remote Code Execution (RCE)
• SQL Injection
• Authentication bypasses
• Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS) with significant impact
• Cross-Site Request Forgery (CSRF) with significant impact
• Business logic vulnerabilities with security implications
• Unauthorized access to sensitive data
• Security vulnerabilities in AI infrastructure (as outlined in the AI-Specific Guidelines)

Ineligible for Bug Bounty Rewards:

• Missing HTTP security headers
• TLS configuration issues without demonstrated exploit
• Self-XSS requiring user interaction
• CSRF vulnerabilities with low impact
• Rate limiting issues
• Social engineering attacks
• Reports without clear security impact
• Issues already reported by another researcher
• Issues already known to Delphos Labs
• Most of the out-of-scope items mentioned in the AI-Specific Guidelines
• Attacks requiring physical access

All reward decisions are at the sole discretion of the Delphos Labs security team.

Coordinated Disclosure

We believe that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process, and that one of the best ways to make software better is to enable everyone to learn from each other's mistakes.

At the same time, we believe that disclosure in the absence of a readily available patch tends to increase risk rather than reduce it, and so we ask that you refrain from sharing your report with others while we work on a fix. If you believe there are others who should be informed about your report before the vulnerability is fixed, please let us know so we can enable the disclosure in a coordinated manner.

Recognition and Acknowledgment

We believe in recognizing the valuable role that security researchers play in keeping our systems secure. Unless you request to remain anonymous, we will acknowledge your contribution in our security acknowledgments page after the vulnerability has been resolved.

Safe Harbor

Research conducted under this policy must be performed in accordance with all applicable laws and Delphos Labs' Terms of Service. We advise security researchers to review our Terms of Service before beginning any security testing.

While Delphos Labs supports responsible security research, compliance with this policy does not guarantee immunity from any potential legal consequences that may arise from your research activities. Security researchers are solely responsible for ensuring that their conduct adheres to all relevant laws and regulations.

Researchers should be aware that any testing of systems not owned by Delphos Labs, including third-party services that integrate with our platform, may be subject to separate terms, conditions, and potential legal consequences. Such testing is outside the scope of this policy, and Delphos Labs makes no representations or warranties regarding the legality of testing third-party systems.

If you have concerns or are unsure whether your security research aligns with this policy or our Terms of Service, please contact security@delphoslabs.com before proceeding.

Questions

Questions regarding this policy may be sent to security@delphoslabs.com. We also invite you to contact us with suggestions for improving this policy.

Security.txt

In compliance with RFC 9116, we maintain a security.txt file at https://delphoslabs.com/.well-known/security.txt that contains current security contact information and links to this policy.