Responsible disclosure policy

Our core mission at HiddenLayer is security for Artificial Intelligence. To safeguard AI, we also have to ensure the safety and security of the technology that underpins its use and development. Despite best efforts to develop secure software, vulnerabilities are an unfortunate and inevitable part of software release. When a new vulnerability is discovered, what matters is how it is disclosed to the affected company, and ultimately how it’s dealt with. 
This policy details our responsible disclosure practices upon discovery of a vulnerability by HiddenLayer researchers and outlines our preferences when submitting vulnerabilities to us that have been found in HiddenLayer systems, products or services.

HiddenLayer adheres to a 90-day disclosure window for a given vulnerability, after which time the vulnerability will be shared with the public. In special circumstances an extension may be considered, for example if the vendor is about to release a patch for the vulnerability in question and has been in active communication. In situations where both parties agree to expedite this process, e.g. when the affected vendor is ready to release a patch ahead of the end of the disclosure period, then public disclosure can be brought forward to the agreed upon date.

In cases of high severity vulnerabilities where they are being actively exploited in the wild or where the propensity to cause harm is severe, we reserve the right to expedite this process; however this will not be without prior contact with the affected party. If providing a fix is not feasible in the agreed timeframe, we ask that at the very least a security advisory listing potential mitigation be posted by the maintainer, but after this point we may share details of the vulnerability in order to help defenders mitigate the attack.

The following HiddenLayer systems, services and products are considered in-scope and fall under the responsible disclosure policy outlined. Anything that is not defined within this policy is excluded from scope. Any vulnerability research or other such testing that is out-of-scope is considered unauthorized. If you are concerned that your testing is not under scope, we encourage you to contact us at [email protected]. 

• *.hiddenlayer.com
• hiddenlayer.com
• *.hiddenlayer.ai
• hiddenlayer.ai
• HiddenLayer Machine Learning Detection and Response (MLDR)
• HiddenLayer Model Scanner

To report a vulnerability to us, please contact [email protected]. You may only conduct vulnerability research or other such testing against HiddenLayer under the terms of this policy:

• Findings must be reported as soon as possible to HiddenLayer via the channels specified in this document.
• Only the items outlined in the scope of this policy may be considered for vulnerability assessment.
• If a vulnerability results in access to HiddenLayer systems or data, the researcher will cease further ingress into said systems, halt their testing, and will not exfiltrate data. Additionally, they will report their findings with immediate effect.
• The researcher will operate in good faith and not disclose the vulnerability to other parties without giving the adequate amount of notice (at least 90 days).
• The researcher will not degrade or otherwise negatively impact the products, services or systems of HiddenLayer. This includes but is not limited to denial of service, degradation of service, or the destruction of Hiddenlayer data.
• Any vulnerability research or testing should only be performed on systems, services and products that are classified as in-scope as defined by this policy.

• We expect the affected party to operate in good faith so that responsible disclosure practices are upheld on both sides of the process.
• We provide detailed descriptions of the vulnerability, and, if possible, a working Proof of Concept (POC) and recommended remediation options.
• We will initiate and maintain an open line of communication throughout the disclosure process.
• We will provide a 90-day disclosure window but reserve the right to expedite this under the terms defined within this policy.