Vulnerability Disclosure Policy

1. Introduction

Empowered Humanity, Inc. takes the security of our systems, products, and data seriously. We recognize that security researchers and members of the broader community play a valuable role in helping us maintain a strong security posture. We welcome and encourage responsible disclosure of security vulnerabilities and are committed to working with researchers to verify and address potential issues.

2. Scope

This policy applies to the following systems and services:

• •All Empowered Humanity, Inc. products and services, including TrustShield AI, IntelRAG, ThreatProfile, DefenseRadar, DocForge Defense, and ContractorAudit.
• •The empoweredhumanity.ai domain and all associated subdomains.
• •Any software developed and deployed by Empowered Humanity, Inc., including APIs, web applications, and supporting infrastructure.

3. How to Report

If you believe you have discovered a security vulnerability, please report it to us by emailing security@empoweredhumanity.ai. Please include the following information in your report:

• •Description: A clear and detailed description of the vulnerability.
• •Reproduction Steps: Step-by-step instructions to reproduce the issue, including any tools or configurations used.
• •Affected Component: The specific product, service, URL, or system component where the vulnerability was found.
• •Potential Impact: Your assessment of the severity and potential impact of the vulnerability if exploited.

4. Safe Harbor

Empowered Humanity, Inc. supports responsible security research. If you conduct vulnerability research in accordance with this policy, we consider your research to be authorized and will not initiate legal action against you.

• •Researchers acting in good faith to comply with this policy will not face legal action from Empowered Humanity, Inc..
• •We will work with you to understand and resolve the issue quickly, and will not file a complaint with law enforcement against you if you follow this policy.
• •This safe harbor is consistent with the Department of Justice framework for good faith security research, which recognizes that security research performed in good faith constitutes authorized conduct.

5. What to Report

We are interested in receiving reports of the following types of vulnerabilities:

• •Security vulnerabilities in web applications, APIs, or infrastructure.
• •Authentication or authorization bypasses.
• •Data exposure or unintended information disclosure.
• •Injection flaws (SQL injection, XSS, command injection, etc.).
• •Cryptographic weaknesses or misconfigurations.

6. What NOT to Test

The following activities are expressly prohibited and fall outside the scope of this policy:

• •Denial of service (DoS) or distributed denial of service (DDoS) attacks.
• •Social engineering attacks against employees, contractors, or partners.
• •Physical security testing of offices, data centers, or other facilities.
• •Spamming or unsolicited bulk messaging.
• •Brute forcing user accounts or credential stuffing attacks.

7. Response Timeline

We are committed to responding to vulnerability reports in a timely manner:

• •Acknowledgment: We will acknowledge receipt of your report within 48 hours.
• •Triage: We will validate and assess the reported vulnerability within 5 business days.
• •Remediation: Fix timelines are severity-dependent. Critical and high-severity issues are typically remediated within 30 days. We will keep you informed of our progress.

8. Recognition

We value the contributions of security researchers who help us protect our systems and our customers. Researchers who report valid vulnerabilities will be credited (with their permission) in any related security advisories. We do not currently operate a monetary bug bounty program, but we are committed to recognizing responsible disclosure through public acknowledgment.

9. Contact

For all security-related inquiries and vulnerability reports, contact us at: