External Vulnerability Disclosure Policy Borealis Security, Inc. and Aurora Command | conditional public policy template This policy provides a channel for good-faith security researchers to report potential vulnerabilities affecting Borealis Security, Inc., borealissecurity.com, auroracommand.ai, and the Aurora Command application and Trust Center. It is intended to reduce unmanaged disclosure risk while preserving Borealis’s control over production systems, customer data, and remediation communications.
Scope
This policy applies only to systems, domains, applications, and APIs that Borealis designates as in scope on its website or Trust Center. It does not authorize testing against customer environments, third-party services, employees, physical locations, wireless networks, or social-engineering targets unless Borealis expressly and separately permits that activity in writing. No person may rely on this policy as a license to exceed authorized access, disrupt systems, extract customer data, alter records, bypass authentication, or impair availability.
Authorized Conduct
A reporter acting in good faith may submit a vulnerability report if the reporter: (a) limits activity to the minimum necessary to confirm the issue; (b) avoids service disruption; (c) avoids accessing, storing, altering, or downloading Customer Data except to the minimum extent technically unavoidable; (d) immediately stops testing and reports the issue if sensitive data is encountered; and (e) follows Borealis’s reporting instructions and confidentiality expectations. Good-faith reporting under this policy does not include credential stuffing, denial-of-service testing, spam, phishing, pretexting, social engineering, data exfiltration, malware deployment, physical intrusion, destructive testing, or public disclosure before Borealis authorizes disclosure.
How to Report
Reports should be sent to the designated security contact published by Borealis. Reports should include sufficient detail for triage, such as the affected asset, steps to reproduce, potential impact, timestamps, supporting screenshots or logs, and any proof-of-concept code that is reasonably necessary to reproduce the issue. If a report involves a customer workspace, the reporter must identify the workspace only to the extent necessary for Borealis to investigate and must not share customer materials publicly or with third parties.
Borealis Commitments
Borealis will review good-faith reports, may acknowledge receipt, may request additional information, and may use commercially reasonable efforts to investigate and remediate confirmed issues in a manner it determines appropriate. Borealis may decide, in its sole discretion, whether and when to validate, prioritize, remediate, disclose, credit, or communicate about any report. Borealis does not commit to any specific response time, bounty payment, public acknowledgement, or remediation timeline under this policy.
Confidentiality and Disclosure
All reports and related communications are confidential. Reporters may not publish, disclose, discuss, or use any discovered issue, report content, or Borealis response without Borealis’s prior written consent. Borealis may request coordinated disclosure timing, may require redaction of exploit details, and may deny permission for public disclosure where customer protection, legal obligations, or operational security so require.
No Waiver; No Offer; Reservation of Rights
This policy is a voluntary disclosure channel only. It does not create any contract, bounty program, agency relationship, immunity, or waiver of any legal right, claim, defense, privilege, or remedy. Borealis reserves the right to investigate, escalate, suspend access, refer matters to law enforcement, pursue civil claims, or take any other action it deems appropriate if conduct falls outside this policy or creates legal, operational, or customer risk.