Vulnerability Disclosure Policy

This policy covers the Human Signal Index web application, its public API endpoints, and its authentication flows. If you are unsure whether something is in scope, ask before you test.

• Email a clear description to security@amenxlabs.com.
• Include the steps to reproduce, the affected URL or endpoint, and the impact you observed.
• Attach a proof of concept where it helps — screenshots, request/response samples, or a short script.
• Send one issue per report so we can track each to resolution.

If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research. We consider activity conducted under this policy to be authorized. If a third party brings action against you for work that followed this policy, we will make that authorization known.

• Denial-of-service, load, or stress testing against our live service.
• Social engineering of our staff, testers, or users.
• Physical attacks, or accessing accounts and data that are not your own.
• Automated scanning that degrades the service for others.
• Reports from automated tools with no demonstrated, exploitable impact.

• We acknowledge your report within three business days.
• We give you an assessment and a likely timeline within ten business days.
• We keep you updated as we work on a fix, and we tell you when it ships.

Please give us a reasonable chance to fix an issue before you discuss it publicly — 90 days is a good default. We are happy to coordinate a disclosure date and to credit you for the finding if you would like that.

Security reports: security@amenxlabs.com. For misconduct or abuse rather than a technical flaw, use the whistleblower center.