Home / Vulnerability reporting
Vulnerability disclosure programme
Axion is part of the Aevrix Group disclosure programme. The canonical policy lives at aevrix.org/policy/. This page is the Axion-specific scope and contact path. Researchers acting in good faith within the rules below have full safe harbour.
In scope
| Asset | Type | Tier |
|---|---|---|
axionchat.chat apex (Synapse + auth + landing) | Service | Tier 1 |
app.axionchat.chat (Element web client) | Web app | Tier 1 |
livekit.axionchat.chat (SFU + Egress) | Media stack | Tier 1 |
media.axionchat.chat (Matrix media) | Media surface | Tier 1 |
sygnal.axionchat.chat (FCM/APNs gateway) | Push | Tier 1 |
push.axionchat.chat (ntfy) | Push | Tier 2 |
s3.axionchat.chat (MinIO API) | Object store | Tier 1 |
| Axion mobile clients (latest published build) | Client | Tier 1 |
| Tor v3 hidden service for the apex | Service | Tier 2 |
Out of scope
- Vendor surfaces we do not own: Cloudflare, Backblaze B2, Contabo, Google Workspace. Report to the vendor.
- Customer data, founder accounts, employee mailboxes. Never. Stop if you accidentally land there.
- Status pages, uptime monitors, and other vendor-hosted dashboards.
- Third-party libraries we depend on (npm, PyPI, crates.io) unless the finding is in our specific usage.
- SPF / DKIM / DMARC complaints — our mail policy is intentional.
- Self-XSS without a credible chain to another user.
- Missing best-practice headers on static-only pages with no authenticated state.
- Clickjacking on pages with no sensitive actions.
Response SLAs
| Stage | Target SLA |
|---|---|
| First reply | ≤ 2 business days |
| Triage decision | ≤ 5 business days |
| Remediation plan | ≤ 10 business days |
| Critical fix shipped | ≤ 14 days |
| High fix shipped | ≤ 30 days |
| Medium / Low fix shipped | ≤ 90 days or risk-accepted |
Safe harbour
If you stay within scope and the rules of engagement at aevrix.org/policy/, we will not pursue legal action against you, request prosecution, or seek civil damages. Good-faith research against in-scope Axion assets is treated as authorised conduct.
What you must not do
- Access, modify, or exfiltrate data belonging to other users.
- Run automated scanners against production without rate limits (stay under 5 requests/second/host).
- Attempt DDoS, volumetric flooding, or capacity exhaustion.
- Social-engineer or phish Aevrix staff, contractors, or vendors.
- Publicly disclose before a fix is shipped or before the coordinated-disclosure window has elapsed.
- Use findings to extort. Disclosure-for-payment threats void safe harbour immediately.
How to report
Send your report to security@axionchat.chat. Include: affected asset, reproduction steps, impact, your handle for credit, and any proof-of-concept you are comfortable sharing. PGP available on request — see aevrix.org/pgp/.
Bounty
Axion does not currently operate a paid bug-bounty programme. We offer public credit, a written reference letter on request, and merchandise where shipping permits. When the company can support a paid programme responsibly, it will be announced at aevrix.org/policy/ first.
Hall of Fame
Valid reports earn an entry at aevrix.org/hall-of-fame/ with the bug class and date, with your handle or anonymously by request.
Direct line: security@axionchat.chat