Responsible disclosure policy

Our core mission at HiddenLayer is security for Artificial Intelligence (“AI”). To safeguard against the risks of AI use, we strive to ensure the safety and security of the technology that underpins its use and development. Despite efforts to develop secure software, vulnerabilities are an unfortunate and inevitable part of software releases. When a new vulnerability is discovered, what matters is how it is disclosed to the affected company and, ultimately, how it is dealt with. Our primary concern is helping vendors fix vulnerabilities and advising affected parties on risks and mitigations.

This policy details our responsible disclosure practices upon discovery of a vulnerability by HiddenLayer researchers and outlines our preferences and requirements for submitting vulnerabilities to us that have been found in HiddenLayer systems, products, or services.

HiddenLayer adheres to a 60-day disclosure window for a given vulnerability following the date such vulnerability is discovered by or otherwise reported in writing to HiddenLayer, after which time an advisory will be shared with the public via the CVE program, HiddenLayer’s blog, and social media. In special circumstances, a 30-day extension may be reasonably necessary, for example, if the vendor is about to release a patch for the vulnerability in question and has been in active communication with HiddenLayer. In situations where both parties agree to expedite the disclosure process (e.g. when the affected vendor is ready to release a patch ahead of the end of the disclosure period), then public disclosure can be brought forward to the agreed-upon date.

In cases of high-severity vulnerabilities that we know are being actively exploited or where we believe the propensity to cause harm is severe, we reserve the right to expedite this process; however, HiddenLayer will use commercially reasonable efforts to contact the affected party in such circumstances. If providing a fix is not reasonably likely in the agreed timeframe, a security advisory listing potential mitigation must be posted by the maintainer. After this, we may share details of the vulnerability in order to help others mitigate potential attacks.

Vendors who do not acknowledge our initial disclosures within 15 days will be deemed to be non-responsive. HiddenLayer will publish vulnerability details after 45 days for any vulnerabilities in software maintained by non-responsive vendors or obsolete software with no active maintainer.

To report a vulnerability to us, please submit to the form below.

• Findings must be reported in writing as soon as possible to HiddenLayer (in no case more than [twenty-four (24) hours]) via the channels specified in this document.
• Only the items outlined in the scope of this policy may be considered for vulnerability assessment.
• If a vulnerability results in access to HiddenLayer systems or data, the researcher will cease further ingress into said systems, halt their testing, and will not exfiltrate data. Additionally, they will report their findings to HiddenLayer immediately.
• The researcher will operate in good faith and not disclose the vulnerability to other parties without giving an adequate amount of written notice to HiddenLayer (at least 90 days).
• The researcher will not degrade or otherwise negatively impact the products, services or systems of HiddenLayer. This includes but is not limited to denial of service, degradation of service, or the destruction of HiddenLayer data.
• Any vulnerability research or testing may only be performed on systems, services, and products classified as in-scope as defined by this policy.

The following HiddenLayer systems, services, and products are considered in-scope and fall under the responsible disclosure policy outlined herein. Anything that is not listed below is excluded from the responsible disclosure policy. Any vulnerability research or other such testing that is out-of-scope is considered unauthorized. If you are concerned that your testing is out-of-scope, we encourage you to contact us at [email protected]. 

• *.hiddenlayer.com
• hiddenlayer.com
• *.hiddenlayer.ai
• hiddenlayer.ai
• HiddenLayer AI Detection & Response (AIDR)
• HiddenLayer Model Scanner

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

• Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy solely in connection with actions or inactions conducted as reasonably necessary for such research;
• Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls solely in connection with actions or inactions conducted as reasonably necessary for such research;
• Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would reasonably interfere with conducting security research, and we waive those restrictions on a limited, as needed basis solely in connection with actions or inactions conducted as reasonably necessary for such research; and
• Lawful and conducted in good faith.

You must comply with all applicable laws in conducting such research.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our submission form before taking any further action.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.