Security

Last updated: 2026-05-22

Reporting a vulnerability

Email security@aurelius.work with a description of the issue, reproduction steps, and any proof-of-concept code. We acknowledge within 5 business days and triage within 10 business days. Our coordinated-disclosure target is 90 days from acknowledged receipt.

The canonical version of this policy is at /.well-known/security.txt per RFC 9116.

Scope

In scope:

• aurelius.work and all *.aurelius.work subdomains.
• All /api/* endpoints.
• Authentication, authorization, rate-limiting, and audit-log mechanisms.
• AI-safety issues (prompt injection, data exfiltration, cross-user leakage).
• Stripe-flow integrity (webhook validation, payment-state consistency).

Out of scope:

• Third-party services we rely on, report directly to them: Anthropic, Stripe, Turso, Vercel, Resend, Cloudflare, Google.
• Volumetric denial-of-service attacks (you can demonstrate but not actually disrupt).
• Social-engineering attacks against our staff.
• Physical attacks against our infrastructure.
• Findings purely related to missing security headers without an exploitable impact.
• Spam-related issues (CAN-SPAM, similar) without exploit potential.

Safe harbor

We will not pursue legal action against security researchers who:

• Report issues in good faith and within the scope above.
• Do not access, modify, or destroy data beyond what is necessary to demonstrate the vulnerability.
• Do not disrupt or degrade the Service or other users' experience.
• Do not publicly disclose before we have had a reasonable opportunity to remediate (default: 90 days from acknowledged receipt).
• Comply with applicable law.

Activities not consistent with the above may result in legal action, including under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) or analogous laws in your jurisdiction. When in doubt, ask before testing.

Bounty

We do not currently offer a paid bug-bounty program. Confirmed reports of meaningful issues will be acknowledged on the acknowledgments section below (with researcher consent) and may receive Aurelius credit-pack rewards at our discretion.

Our security commitments

• All traffic over TLS 1.2+; HSTS with includeSubDomains + preload.
• Passwords hashed with bcrypt; never logged in plaintext.
• OWASP-aligned input validation + output encoding throughout.
• Durable distributed rate limiting on every public endpoint.
• Append-only security event log with cooled-down email alerts on critical events.
• Subresource policies (CSP, X-Frame-Options DENY, COOP/CORP) on every response.
• 72-hour breach notification per GDPR Article 33.
• Public audit history in the /audits/ directory of our repository.

Acknowledgments

Researchers who responsibly disclosed issues are credited here (with permission). When the list begins, it appears below.

No public acknowledgments yet. Be the first.