SECURITY PROTOCOL
Vulnerability Disclosure
Last Updated: January 12, 2026
CytherAI values the security community. We appreciate responsible disclosure and commit to working with researchers to verify and address issues promptly.
Security Contact:
For encrypted communication, request PGP key via above email.
security@cytherai.comFor encrypted communication, request PGP key via above email.
Scope
This policy applies to:
- CytherAI core system (neural theorem prover)
- Build and verification tooling
- Official websites and infrastructure
- Deployment containers and orchestration
Out of Scope
- Third-party dependencies (report to upstream maintainers)
- Theoretical attacks without proof of concept
- Social engineering attacks
- Physical security of customer deployments
Reporting a Vulnerability
Email security@cytherai.com with:
- Description: Clear summary of the vulnerability
- Impact: Potential security impact and attack scenarios
- Reproduction: Step-by-step instructions
- Environment: Affected versions, configurations
- Proof of Concept: Code, logs, or screenshots if applicable
Response Timeline
- Initial Response: Within 48 hours
- Triage & Validation: Within 7 days
- Fix Timeline: Severity-dependent (see below)
- Disclosure: Coordinated with reporter
Severity Levels
- Critical: Fix within 7 days (RCE, auth bypass)
- High: Fix within 30 days (privilege escalation, data exposure)
- Medium: Fix within 90 days (DoS, information disclosure)
- Low: Fix in next release cycle
Safe Harbor
We consider security research under this policy to be:
- Authorized under applicable law
- Exempt from DMCA claims
- Protected from legal action by CytherAI
Requirements: Follow responsible disclosure, do not access customer data, do not cause service disruption, report findings promptly.
Coordinated Disclosure
We prefer coordinated disclosure. We will:
- Work with you to understand and validate the vulnerability
- Develop and test a fix before public disclosure
- Credit you in security advisories (unless you prefer anonymity)
- Coordinate disclosure timing with you
Typical disclosure window: 90 days after report or fix availability, whichever comes first.
Hall of Thanks
We publicly acknowledge researchers who report valid vulnerabilities (with permission).
No disclosures yet. Be the first.
Non-Security Contact
For non-security inquiries: contact@cytherai.com