Security

Responsible Disclosure

Report security vulnerabilities safely. We are committed to working with researchers to protect our users.

Last updated: March 12, 2026

Introduction

At Arcus, security is fundamental to our mission of providing trustworthy AI governance across 30+ global jurisdictions. We value the contributions of security researchers and the broader community in helping us maintain the highest security standards.

This Responsible Disclosure Policy provides guidelines for conducting security research and reporting vulnerabilities to us. We are committed to working with security researchers to verify and address any potential vulnerabilities reported to us.

This policy is designed to comply with responsible disclosure frameworks and computer misuse legislation across Australia, the European Union, United Kingdom, United States, Canada, Brazil, Singapore, Japan, South Korea, and New Zealand.

Scope

This policy applies to the following systems and services:

  • The Arcus web application (app.arcus-ai.app)
  • The Arcus public website (arcus-ai.app)
  • Arcus API endpoints (api.arcus-ai.app)
  • Arcus Edge Functions and serverless infrastructure
  • Mobile applications (when available)

Out of Scope:

  • Third-party services integrated with Arcus (e.g., Supabase, Stripe, Vercel)
  • Social engineering attacks against Arcus employees or contractors
  • Physical security of Arcus offices or infrastructure
  • Denial of service (DoS/DDoS) attacks
  • Automated vulnerability scanning that generates excessive traffic

How to Report

If you believe you have found a security vulnerability, please report it to us through the following channels:

Primary Contact

[email protected]

Alternative Contact

[email protected]

When reporting a vulnerability, please include:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

Please encrypt sensitive reports using our PGP key, available at arcus-ai.app/.well-known/security.txt.

Safe Harbour

Arcus considers security research conducted under this policy to be authorised and will not pursue legal action against researchers who:

  • Act in good faith and in accordance with this policy
  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data
  • Only interact with their own accounts or test accounts for security research purposes
  • Do not exploit a vulnerability beyond what is necessary to confirm its existence
  • Report vulnerabilities promptly and do not disclose them publicly before they are resolved
  • Do not use findings for malicious purposes or personal gain beyond any applicable bug bounty rewards

We will not take legal action against security researchers who discover and report vulnerabilities in accordance with this policy. This safe harbour applies to researchers regardless of their jurisdiction, provided they comply with the guidelines set out in this policy.

This safe harbour is consistent with the principles set out by the US Department of Justice's Framework for a Vulnerability Disclosure Program (2017), the EU NIS2 Directive's coordinated vulnerability disclosure provisions, and the Australian Signals Directorate's guidelines on responsible disclosure.

Response Timeline

We are committed to responding to security reports promptly:

  • Acknowledgment: Within 2 business days of receipt
  • Initial Assessment: Within 5 business days
  • Status Update: At least every 10 business days during investigation
  • Resolution Target: Within 90 days for critical and high-severity issues
  • Public Disclosure: Coordinated disclosure after fix deployment, with credit to the researcher

Timelines may vary depending on the complexity of the vulnerability and the resources required to address it. We will keep reporters informed of progress throughout the process.

Severity Classification

We classify vulnerabilities using the following severity levels:

  • Critical: Remote code execution, authentication bypass, data breach exposing sensitive user data, privilege escalation to admin-level access
  • High: Cross-site scripting (XSS) with significant impact, SQL injection, insecure direct object references affecting user data, CSRF on critical functions
  • Medium: Information disclosure of non-sensitive data, session management issues, missing security headers with exploitable impact
  • Low: Missing best-practice security headers without exploitable impact, verbose error messages, outdated software versions without known exploitable vulnerabilities

Severity is assessed based on the potential impact to Arcus users, data confidentiality, and system integrity.

Recognition and Rewards

We believe in recognizing the efforts of security researchers who help us improve our security posture:

  • Public Acknowledgment: With the researcher's permission, we will acknowledge their contribution on our security hall of fame
  • Direct Communication: Researchers will receive direct communication with our security team throughout the process
  • Reference Letters: We are happy to provide reference letters for researchers who make significant contributions

Note: Arcus does not currently operate a formal bug bounty program with financial rewards. However, we are evaluating the introduction of a bounty program and will update this policy accordingly.

We reserve the right to determine if a report qualifies for recognition based on the severity, impact, and quality of the report.

Researcher Guidelines

When conducting security research, please adhere to the following guidelines:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could negatively impact other users or the availability of our services
  • Do not use automated tools that generate excessive traffic or degrade service quality
  • Do not test for vulnerabilities in third-party services that are integrated with Arcus
  • Do not disclose vulnerability details publicly until we have had reasonable time to address the issue
  • Do not conduct any testing against services that you do not have explicit permission to test
  • Comply with all applicable laws and regulations in your jurisdiction

If you are unsure whether your research activities are within scope, please contact us before proceeding.

Exclusions

The following activities are explicitly excluded from this policy and may result in legal action under applicable computer misuse and cybercrime legislation (including but not limited to Australia's Criminal Code Act 1995 Division 477-478, the US Computer Fraud and Abuse Act, the UK Computer Misuse Act 1990, the EU NIS2 Directive, Singapore's Computer Misuse Act, Japan's Unauthorised Computer Access Law, South Korea's Act on Promotion of Information and Communications Network Utilisation, Brazil's Marco Civil da Internet, Canada's Criminal Code Section 342.1, and New Zealand's Crimes Act 1961):

  • Any form of denial of service attack
  • Spamming or social engineering against Arcus employees, contractors, or customers
  • Physical attacks against Arcus facilities
  • Any attempt to access, modify, or destroy data belonging to other users
  • Any testing that degrades service availability for other users
  • Selling or trading vulnerability information to third parties
  • Extortion or threatening behaviour related to discovered vulnerabilities

Legal Framework

This Responsible Disclosure Policy operates within the legal frameworks of the following jurisdictions in which Arcus provides services:

  • Australia: Criminal Code Act 1995 (Cth) Divisions 477-478, Security of Critical Infrastructure Act 2018, Privacy Act 1988
  • European Union: NIS2 Directive (EU 2022/2555), GDPR, EU AI Act coordinated vulnerability disclosure provisions
  • United Kingdom: Computer Misuse Act 1990, UK GDPR, Network and Information Systems Regulations 2018
  • United States: Computer Fraud and Abuse Act (CFAA), state-level cybersecurity laws including California's SB-327 and CCPA breach notification requirements
  • Canada: Criminal Code Section 342.1, PIPEDA breach notification provisions, Digital Privacy Act
  • Brazil: Marco Civil da Internet (Law 12.965/2014), LGPD breach notification requirements
  • Singapore: Computer Misuse Act (Chapter 50A), Cybersecurity Act 2018, PDPA data breach notification
  • Japan: Unauthorised Computer Access Law (不正アクセス禁止法), APPI breach notification requirements
  • South Korea: Act on Promotion of Information and Communications Network Utilisation and Information Protection, PIPA breach notification
  • New Zealand: Crimes Act 1961 Sections 248-252, Privacy Act 2020 breach notification

Researchers are encouraged to familiarise themselves with the applicable laws in their own jurisdiction before conducting security research.

Contact

For security-related inquiries:

Security Team [email protected]

Data Protection Officer [email protected]

General Legal Inquiries [email protected]

Arcus Technologies Pty Ltd Melbourne, Victoria, Australia

Safe Harbour

Found a vulnerability?

We treat security researchers as partners. Report responsibly and we will work with you to resolve any issues promptly.

Report a VulnerabilityContact Us