Security Policy
Effective: 1 January 2025 · Last updated: 1 January 2025
Security Posture
Security is a first principle at CytherAI, not a compliance checkbox. Our public-facing properties are designed with minimal attack surface: no third-party scripts, no client-side tracking, no external dependencies beyond the hosting provider.
Vulnerability Disclosure
If you discover a security vulnerability in any CytherAI property, we ask that you disclose it responsibly.
Report to: security@cytherai.com
Encryption: PGP key available upon request
Response time: Initial acknowledgement within 48 hours
What to Include
- Description of the vulnerability and its potential impact
- Steps to reproduce
- Affected URL, endpoint, or component
- Your contact information for follow-up
Our Commitments
- We will acknowledge receipt within 48 hours
- We will provide an assessment and expected remediation timeline
- We will not take legal action against good-faith security researchers
- We will credit reporters (with permission) once the issue is resolved
What We Ask
- Do not access or modify data belonging to other users
- Do not degrade the availability of our services
- Allow reasonable time for remediation before public disclosure
- Do not use automated scanning tools against production systems without prior coordination
Scope
This policy applies to:
- cytherai.com and all subdomains
- Public-facing APIs and services operated by CytherAI
Client-specific systems deployed under engagement agreements are covered by separate security terms within those agreements.
Contact
Security issues: security@cytherai.com
General inquiries: contact@cytherai.com