Aurora Command
Security reporting policy

Vulnerability Disclosure Policy

The controlled public reporting channel for good-faith security researchers who want to report issues affecting Borealis Security, auroracommand.ai, or the Aurora Command application and Trust Center.
Last updated
March 15, 2026
Security contact
security@auroracommand.ai
Plain-English summary

This policy gives researchers a controlled way to report good-faith findings without creating a license to exceed authorization, disrupt systems, access customer data, or test third-party or customer environments.

Borealis may review and prioritize reports in its discretion. The policy does not create a bug-bounty program, contractual immunity, public-disclosure right, or guaranteed response timeline.

Publication details
Owner
Borealis Security, Inc. Security
Published version
Published Aurora legal release · 2026-03-15
Rendered document hash
cfdb7d8d7cb6e0e820d8757464a8093ed9b2575f487681ab6eb92cf512d743bc
Reference files
33_External_Vulnerability_Disclosure_Policy.txt
This is a voluntary disclosure channel only. It is not a penetration-testing authorization, bounty promise, immunity grant, or waiver of Borealis's legal rights.

1. Scope

This policy applies only to systems, domains, applications, and APIs that Borealis designates as in scope on its website or Trust Center. It does not authorize testing against customer environments, third-party services, employees, physical locations, wireless networks, or social-engineering targets unless Borealis separately permits that activity in writing.

No person may rely on this policy as a license to exceed authorized access, disrupt systems, extract customer data, alter records, bypass authentication, or impair availability.

2. Authorized conduct

A reporter acting in good faith may submit a vulnerability report if the reporter:

  • Limits activity to the minimum necessary to confirm the issue.
  • Avoids service disruption.
  • Avoids accessing, storing, altering, or downloading Customer Data except to the minimum extent technically unavoidable.
  • Immediately stops testing and reports the issue if sensitive data is encountered.
  • Follows Borealis reporting instructions and confidentiality expectations.

Good-faith reporting under this policy does not include credential stuffing, denial-of-service testing, spam, phishing, pretexting, social engineering, data exfiltration, malware deployment, physical intrusion, destructive testing, or public disclosure before Borealis authorizes disclosure.

3. How to report

Reports should be sent to Borealis's designated security contact and should include enough detail for triage, such as the affected asset, steps to reproduce, potential impact, timestamps, supporting screenshots or logs, and proof-of-concept code that is reasonably necessary to reproduce the issue.

If a report involves a customer workspace, identify the workspace only to the extent necessary for Borealis to investigate and do not share customer materials publicly or with third parties.

4. Borealis commitments

Borealis will review good-faith reports, may acknowledge receipt, may request additional information, and may use commercially reasonable efforts to investigate and remediate confirmed issues in a manner it determines appropriate.

Borealis may decide in its sole discretion whether and when to validate, prioritize, remediate, disclose, credit, or communicate about any report. This policy does not commit Borealis to a specific response time, bounty payment, public acknowledgement, or remediation timeline.

5. Confidentiality and disclosure

All reports and related communications are confidential. Reporters may not publish, disclose, discuss, or use a discovered issue, report content, or Borealis response without Borealis's prior written consent.

Borealis may request coordinated disclosure timing, may require exploit details to be redacted, and may deny permission for public disclosure where customer protection, legal obligations, or operational security require it.

6. No waiver; no offer; reservation of rights

This policy is a voluntary disclosure channel only. It does not create a contract, bounty program, agency relationship, immunity, or waiver of any legal right, claim, defense, privilege, or remedy.

Borealis reserves the right to investigate, escalate, suspend access, refer matters to law enforcement, pursue civil claims, or take any other action it deems appropriate if conduct falls outside this policy or creates legal, operational, or customer risk.

Need the Security Team?

Use the dedicated security channel for coordinated disclosure, security reports, or scope questions before sending proof-of-concept material.
Email security
Read security overview