CONTACT

Security Policy

Responsible Disclosure Policy

At Chanylia, we take the security of our platform seriously. If you believe you’ve found a security issue in our software, we’d like to hear from you. We welcome responsible disclosure from anyone — security researchers, customers, or members of the public — and we are committed to acknowledging and crediting those who help us improve the safety of our platform.

Which versions do we protect?

We actively fix security issues in our two most recent major releases. If you’re using an older version, we recommend upgrading to stay protected.

Found a security issue? Please let us know.

If you think you’ve discovered a vulnerability in the Chanylia Platform, please email us at security@chanylia.com. We ask that you do not share the details publicly until we’ve had a chance to investigate and fix the issue — this is what responsible disclosure means, and we deeply value it.

When you contact us, it helps to include:

  • A description of the issue and what harm it could cause
  • The steps needed to reproduce it
  • The version of Chanylia Platform you were using
  • Your contact details so we can follow up with you

What happens after you report?

We respect your time and effort. Here’s what you can expect from us:

  • We’ll confirm we received your report within 2 business days
  • Within 5 business days, we’ll assess the issue and let you know how serious we think it is
  • We’ll agree with you on a timeline for fixing the issue before anything is made public
  • Once resolved, we’ll publicly credit you for the discovery — with your permission

Our promises to you

  • We will not take legal action against anyone who reports a vulnerability honestly and in good faith
  • We will keep you updated throughout the process
  • Once the issue is fixed, we’ll release a security update and publish a formal security notice

What we’re not able to investigate

Some types of reports fall outside the scope of this policy:

  • Issues affecting old, unsupported versions of the platform
  • Attempts to manipulate or deceive our staff (social engineering)
  • Physical access to customer systems — the Chanylia Platform runs within your own environment, so physical security is managed by your organisation

We value your contribution

Responsible disclosure makes the internet safer for everyone. If you take the time to report a security issue to us carefully and privately, we will treat your report seriously, keep you informed, and credit your contribution publicly once the issue is resolved. Thank you for helping us protect our users.

Verifying AIMES Platform releases

Every AIMES Platform release is signed by Chanylia’s release pipeline with Sigstore cosign (https://docs.sigstore.dev/cosign/). The public key below lets you confirm that the container image and deploy bundle you pulled from repo.chanylia.com were produced by Chanylia and have not been modified since.

Public key: cosign.pub

SHA-256 fingerprint: 9760606f77d5c9bbeff08a44e1b3c0ecc02060ea98ae3fd206643a7c5642159d

Questions?

Reach out to us any time at security@chanylia.com.