IlluminateRisk Trust Center
Responsible disclosure · v2026.05

Trust Center / Responsible disclosure

Responsible disclosure

IlluminateRisk welcomes good-faith security research. If you've found a vulnerability, this page is how to report it, what we'll do, and what we promise in return.

Report to
support@illuminaterisk.ai
Triage SLA
Acknowledgement within 3 business days
Resolution target
Severity-based; see below

How to report

Email support@illuminaterisk.ai with the following:

If the finding is sensitive enough that email plaintext isn't appropriate, ask in your first message and we'll arrange an encrypted channel.

What we'll do

  1. Acknowledge receipt within three (3) business days.
  2. Triage the finding and assign a severity (Critical / High / Medium / Low / Informational).
  3. Communicate on a defined cadence — weekly for Critical/High, biweekly for Medium, monthly for Low — until the finding is closed.
  4. Remediate within the target window for the severity (below).
  5. Notify the reporter when the fix is deployed; coordinate any public disclosure.
SeverityTarget resolution
Critical (immediate data exposure / RCE)Mitigation within 48 hours; permanent fix within 7 days.
High (privilege escalation / auth bypass)Within 14 days.
Medium (information disclosure with low blast radius)Within 30 days.
Low / InformationalNext maintenance window or roadmap cycle.

In scope

Out of scope

Safe harbor

Good-faith security research is welcome and will not be pursued. If you:

… then IlluminateRisk will not pursue legal action against you for your research, will treat your activity as authorized testing under the Computer Fraud and Abuse Act and similar laws, and will request that any third party we engage with (counsel, law enforcement) honors the same position.

What we ask

Recognition

We're a small team without a paid bug-bounty program yet. We do, however, maintain a "Researchers we owe" list on this page once we have a fix to tell the story about, and we ship a thank-you note (and a hat) for every validated report. If a researcher's contribution warrants more than that, we'll work out something reasonable — get in touch.

Contact

support@illuminaterisk.ai — the single team mailbox for all IlluminateRisk inquiries. Please tag the subject line with [SECURITY] so the first responder routes your report into the triage queue.