Skip to content

    Vulnerability Disclosure Policy

    Effective Date: May 29, 2026

    SunStone Secure, LLC ("SunStone," "we," "us," or "our") welcomes the security research community's contributions to keeping our products, customers, and users safe. This policy describes how to report a suspected vulnerability and what you can expect from us in return.

    1. Scope

    This policy applies to the following assets owned and operated by SunStone Secure:

    • sunstonesecure.com and its subdomains
    • The Artemis™ compliance platform and tenants we operate on behalf of customers
    • SunStone-published APIs and edge functions

    2. Out of Scope

    Testing the following is not authorized under this policy:

    • Denial-of-service (DoS / DDoS) or volumetric attacks
    • Social engineering of SunStone employees, customers, or contractors (including phishing, vishing, smishing)
    • Physical attacks against SunStone offices, equipment, or personnel
    • Third-party services we rely on (e.g., hosting, email, analytics, GRC integrations) — please report directly to those providers
    • Automated scanning that degrades service availability for other users
    • Accessing, modifying, exfiltrating, or destroying data belonging to other SunStone customers
    • Findings derived from outdated software whose impact cannot be demonstrated

    3. Safe Harbor

    SunStone considers security research conducted in good faith and in accordance with this policy to be authorized. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy. We will work with you to understand and resolve the issue quickly, and SunStone will not recommend or pursue legal action related to your research, provided you:

    • Make a good-faith effort to avoid privacy violations, degradation of user experience, and disruption to production systems
    • Do not exploit a vulnerability beyond the minimum needed to confirm its existence
    • Do not disclose the issue publicly before we have addressed it (see Section 7)
    • Do not access, modify, or retain data that is not your own

    4. How to Report

    Email info@sunstonesecure.com with the subject prefix [Security]. Please include:

    • The affected URL, endpoint, or component
    • A clear description of the vulnerability and its impact
    • Step-by-step reproduction instructions (screenshots, request/response captures, or short proof-of-concept code are welcome)
    • Any relevant logs, payloads, or test accounts you used
    • How you'd like to be credited (name, handle, organization) if a fix is shipped

    If you require encrypted communication, request a PGP key in your initial message and we will respond with one.

    5. What to Expect From Us

    • Acknowledgement: within 3 business days of your initial report
    • Initial triage and severity assessment: within 10 business days
    • Status updates: at least every 14 days until the report is resolved
    • Resolution: targets based on severity (Critical: 30 days; High: 60 days; Medium/Low: best effort)
    • Recognition: public credit in our acknowledgements once a fix is deployed, if you choose

    6. Rewards

    SunStone does not currently operate a paid bug-bounty program. We recognize valid reports with public credit (with your permission) and our sincere thanks.

    7. Coordinated Disclosure

    We follow coordinated disclosure. Please give us a reasonable opportunity to remediate before publishing details — typically 90 days from initial report, or sooner if we agree the fix is complete. We are happy to coordinate joint disclosure timelines and CVE assignment where applicable.

    8. Questions

    Questions about this policy can be sent to info@sunstonesecure.com. See also our security.txt file.