Responsible Disclosure Policy
How security researchers can report vulnerabilities in aimp.dev safely and in good faith.
Last updated: July 2026
1. Purpose
aimpworks ltd is committed to protecting the security of aimp.dev and our users. This Responsible Disclosure Policy explains how to report potential security vulnerabilities and the boundaries of authorised good-faith research.
2. Scope
This Policy applies to:
Out of scope: third-party services not operated by us, customer-configured integrations, social engineering of our staff or users, and physical security testing. If you are unsure whether a system is in scope, contact us before testing.
- The aimp.dev website and authenticated platform.
- Our application programming interfaces (APIs) exposed to customers.
- Systems owned or operated by us for delivery of the Service.
3. Safe Harbor
If you comply with this Policy and act in good faith, we will not initiate legal action against you for authorised research activities. To qualify:
- Report the issue promptly and keep it confidential until we resolve it.
- Do not access, modify, or exfiltrate data belonging to other users.
- Do not degrade service availability or harm real users.
- Limit testing to what is necessary to demonstrate the vulnerability.
- Do not publicly disclose the issue before we have had reasonable time to remediate.
4. How to Report
Send reports to security@aimp.dev. Include:
We aim to acknowledge receipt within 72 hours.
- A clear description of the vulnerability.
- Steps to reproduce, with proof of concept if available.
- The affected URL, endpoint, or feature.
- Your assessment of potential impact.
- Your contact information for follow-up.
5. Our Process
We ask that you allow us up to 90 days to investigate and remediate before public disclosure, unless we agree otherwise.
- Validate and assign severity to reported issues.
- Work to remediate confirmed vulnerabilities based on risk.
- Notify you when a fix is deployed or a mitigation is in place.
- Coordinate on any public disclosure timing if you wish to publish findings.
6. Prohibited Activities
- Denial-of-service or load attacks against production systems.
- Accessing or modifying other users' accounts or data.
- Deploying malware, ransomware, or destructive payloads.
- Social engineering, phishing, or physical intrusion attempts.
- Automated scanning that materially degrades service performance.
- Exploiting a vulnerability beyond what is needed to demonstrate it.
7. Recognition
We appreciate responsible reports from the security community. We do not currently operate a paid bug bounty programme but may acknowledge researchers who follow this Policy, at our discretion and with your consent.
8. Changes
We may update this Policy from time to time. The "Last updated" date reflects the current version.