Address
security@au-svrn.com. Also published at /.well-known/security.txt.
Scope
- The institutional site at au-svrn.com.
- The verification infrastructure operated under AU-SVRN methodology, including the public registries of the operating brands.
- The cryptographic and signing infrastructure used for identity-binding.
Out of scope: the operating brands' product surfaces (humark.id, puratrust.com) maintain their own security disclosure policies on their own properties.
Safe harbour
The institution will not pursue legal action against researchers who, acting in good faith, report findings to the disclosure address and refrain from public disclosure for an agreed embargo period.
Embargo
The default embargo is 90 days from the date of acknowledgement, extendable by mutual agreement where the issue requires longer remediation. Critical issues may be remediated in shorter cycles.
Acknowledgement
The institution targets acknowledgement of new reports within five business days. Researchers who request public credit at the time of disclosure are credited in the resolution notice unless they request otherwise.
Encryption
A PGP key for encrypted reports will be published with this policy at v1.0.