← Back to home

Trust

Security & Responsible Disclosure

Effective date: 11 May 2026

Introduction

PulseAI welcomes coordinated disclosure of security vulnerabilities. This page describes scope, our safe-harbor commitment, and how to report.

In scope

All PulseAI domains and subdomains, including the marketing site, the regional product environments, and any public well-known endpoints PulseAI publishes (such as /.well-known/security.txt).

Out of scope

  • Social-engineering of staff or contractors.
  • Physical attacks or attacks requiring physical access.
  • Denial-of-service or volumetric load testing.
  • Attacks against third-party cloud services PulseAI relies on (AWS and Google cloud services).
  • Automated-scanner output without independent validation.

Safe harbor

PulseAI Now Inc. will not pursue civil or criminal action against, nor assist law enforcement in pursuing, security researchers who, in good faith, comply with this Responsible Disclosure Policy. Activities conducted within the scope of this policy will be treated as authorized access for the purposes of applicable Canadian computer-crime law and equivalent foreign statutes (including the U.S. CFAA where applicable). This safe harbor does not extend to activities that fall outside the scope above, to third-party systems we do not control, or to research that intentionally degrades the service or accesses customer data beyond the minimum needed to demonstrate impact.

How to report

  • Email security@pulseai.now, encrypted with our PGP key. Public key at /pgp-key.txt; also published on keys.openpgp.org.
  • Include: affected URL, reproduction steps, observed impact, your contact info, and whether you want public acknowledgment.
  • For especially sensitive disclosures, request an out-of-band channel in your initial email.

PGP fingerprint

E0BF 15DE 03AF EB4D F290 C08B 023B 1A3F EC97 333E

What we commit to

  • Acknowledgment within 3 business days.
  • Triage status within 10 business days.
  • Default coordinated-disclosure window: 90 days from acknowledgment, negotiable for critical or actively exploited issues.
  • Public credit unless the reporter declines.

What we ask

  • Don’t access data beyond the minimum needed to demonstrate impact.
  • Don’t degrade service for other users.
  • Give us a reasonable opportunity to fix before public disclosure.

No bug bounty yet

PulseAI does not currently run a paid bug-bounty program. We publicly acknowledge contributing researchers in the Hall of fame section below. We will revisit a paid program after general availability.

Hall of fame

We thank the following researchers for their coordinated disclosures.

No disclosures published yet.

EU CRA alignment

This policy is intended to satisfy the coordinated-vulnerability-disclosure obligations of the EU Cyber Resilience Act, which become operative on 11 September 2026. For active-exploit reports relevant to ENISA, we maintain an internal notification process separate from this page.

PulseAI Now Inc. · Security & Responsible Disclosure · Version 1.0 · May 11, 2026