Home Use Cases Applications Methodology About Contact
Security & Trust

Responsible
Disclosure —
we invite scrutiny.

Security researchers who identify vulnerabilities in the VIGIL platform are performing a service. This policy tells you exactly how to report what you find, what we commit to doing with it, and the protections we extend to researchers who act in good faith.

Effective: 01 July 2026 Last Reviewed: July 2026 Scope: vigil.arrcglobal.com Response SLA: 5 Business Days
Our Position

A platform that handles sensitive security intelligence must itself be secure. We believe independent scrutiny makes us stronger. Researchers who find and responsibly disclose vulnerabilities are partners in that goal — not adversaries.

01Our Position

Why this policy exists

VIGIL processes sensitive site intelligence and assessment data for enterprise clients operating in security-critical environments. The integrity of our platform is not a compliance checkbox — it is a core operational requirement.

Publishing a responsible disclosure policy is an act of confidence, not an admission of weakness. It signals to clients, prospects, and the broader security community that we take platform security seriously enough to invite independent verification. Platforms that hide from scrutiny are less trustworthy than platforms that invite it.

This policy applies to the VIGIL platform at vigil.arrcglobal.com and all associated infrastructure operated by Anshin Risk and Resilience Consulting Private Limited (ARRC Global). It does not apply to third-party services, tools, or platforms that VIGIL may reference or link to.

This is a responsible disclosure programme, not a bug bounty. We do not currently offer financial rewards for vulnerability reports. We do offer something else: a clear process, a genuine commitment to respond, and public acknowledgement for researchers whose findings improve the platform. A formal bug bounty programme is on the roadmap — see our Trust & Security page for the current certification and assurance timeline.

02Scope

What is and is not covered

Before reporting, confirm that your finding falls within scope. Reports on out-of-scope items will be acknowledged but not processed as security vulnerabilities.

In Scope
  • VIGIL platform application — vigil.arrcglobal.com
  • Authentication and session management
  • API endpoints — all authenticated and unauthenticated
  • Authorisation logic and access control (RBAC)
  • Data exposure — PII, client data, internal paths in responses
  • Injection vulnerabilities (SQL, command, LDAP, XML)
  • Cross-site scripting (XSS) and cross-site request forgery (CSRF)
  • Insecure direct object references (IDOR)
  • Business logic flaws with security impact
  • Server configuration — headers, TLS, exposed services
  • Cryptographic weaknesses in platform implementation
  • Sensitive data in client-side code or browser storage
Out of Scope
  • Third-party services, SaaS tools, or infrastructure not operated by ARRC Global
  • Social engineering of ARRC Global staff or clients
  • Physical security of ARRC Global premises
  • Denial-of-service attacks or volumetric testing
  • Automated scanning without prior written permission
  • Findings on arrcglobal.com (parent site) — report separately to contact@arrcglobal.com
  • Theoretical vulnerabilities without a working proof of concept
  • Missing security headers rated as informational only with no demonstrated impact
  • SSL/TLS best-practice recommendations without exploitability
  • Rate-limiting on low-sensitivity endpoints
  • Vulnerabilities in browsers or operating systems

If you are unsure whether a finding is in scope, report it. We will classify it and respond accordingly. We would rather review an out-of-scope report than have an in-scope vulnerability go unreported because a researcher was uncertain.

03How to Report

The reporting channel

All vulnerability reports must be submitted by email to the dedicated security contact. Do not report security vulnerabilities through public issue trackers, social media, or general support channels.

Security Disclosure Contact
Email contact@arrcglobal.com
Subject Line [VIGIL-SECURITY] Brief description of finding
Encryption Not currently required. If your report contains highly sensitive proof-of-concept details, request our PGP key before sending by emailing the address above with subject [PGP-REQUEST].
Language English preferred. Reports in other languages will be translated — response time may be extended by up to 5 business days.

A machine-readable security.txt file is published at vigil.arrcglobal.com/.well-known/security.txt in accordance with RFC 9116, providing a standardised discovery path for security researchers.

04What to Include

Report template

The more precisely you document a vulnerability, the faster we can triage and remediate it. Use the following template as a guide. Not every field will be applicable to every finding — include what is relevant.

Suggested Report Structure
TitleBrief description — e.g. "IDOR on assessment endpoint allows cross-client data access"
SeverityYour assessment: Critical / High / Medium / Low / Informational (CVSS score if available)
Affected URLThe specific endpoint, page, or API path where the vulnerability was observed
DescriptionClear explanation of the vulnerability — what it is, why it exists, and what an attacker could achieve by exploiting it
Steps to ReproduceStep-by-step instructions sufficient for our team to reproduce the finding independently
Proof of ConceptScreenshot, video, HTTP request/response, or code demonstrating the vulnerability. Redact any sensitive data from PoC materials.
ImpactWhat data, functionality, or user accounts are affected. What is the realistic worst-case outcome if exploited?
Suggested FixOptional but appreciated. If you have a view on remediation, include it.
Your DetailsOptional. Name or alias for acknowledgement purposes. Anonymous reports are accepted and will receive the same attention.
05What We Commit To

Our response obligations

When you report a vulnerability in good faith and in accordance with this policy, we commit to the following:

01
Acknowledgement
Within 5 business days of receipt
We will confirm receipt of your report, assign it an internal reference number, and provide initial triage classification (in-scope / out-of-scope, severity assessment). If we need clarification, we will ask at this stage.
02
Triage & Validation
Within 10 business days of acknowledgement
Our security team will attempt to reproduce the vulnerability. We will confirm whether we can validate the finding and provide our severity classification. If our classification differs from yours, we will explain why.
03
Remediation
Target based on severity
We will develop and deploy a fix. Target remediation timelines: Critical — 7 days · High — 14 days · Medium — 30 days · Low — 60 days. These are targets, not guarantees. Complex vulnerabilities may require longer — we will keep you informed of progress.
04
Notification
Upon fix deployment
We will notify you when the vulnerability has been remediated and provide the opportunity to verify the fix before any public disclosure. We will not close a report as resolved without informing you.
05
Disclosure
Coordinated — see Section 9
We will work with you to agree the timing and content of any public disclosure. We will not disclose your report without your consent. You will not publish before we have had a reasonable opportunity to remediate.

We will not leave you in silence. If a report is taking longer than expected at any stage, we will proactively update you. You should never have to chase us for a status update more than once.

06Safe Harbour

Protections for good-faith researchers

ARRC Global extends the following safe harbour to security researchers who identify and report vulnerabilities in accordance with this policy:

  • No legal action. We will not initiate or support legal action against any researcher who discovers and reports vulnerabilities in good faith under this policy — including under computer fraud statutes, intellectual property law, or equivalent legislation in any jurisdiction — provided the researcher complies with the rules of engagement in Section 7.
  • No adverse engagement. We will not contact law enforcement regarding good-faith research conducted within the scope of this policy.
  • Coordination, not confrontation. Our security team will engage with researchers as collaborators, not adversaries. If a concern arises about research methodology, we will raise it directly with the researcher before taking any other action.
  • Confidentiality. We will not disclose the identity of a researcher who reports under this policy without their explicit consent — including to clients, partners, or third parties.

Safe harbour applies only to research conducted within the scope and rules of this policy. It does not extend to research that accesses, exfiltrates, or modifies client data; conducts denial-of-service attacks; targets systems outside the defined scope; or involves conduct that a reasonable security researcher would not consider necessary to demonstrate the vulnerability.

07Rules of Engagement

How research must be conducted

To remain within safe harbour and ensure your research is treated as a good-faith disclosure, the following rules apply without exception:

  • Use your own account. Research must be conducted using test accounts created for that purpose, or your own legitimately registered account. Never use another user's credentials or access another user's data.
  • Minimise data access. Access only the minimum data necessary to demonstrate the vulnerability. Stop as soon as you have sufficient evidence. Do not download, copy, or exfiltrate client data under any circumstances — even to demonstrate a finding.
  • Do not modify or delete data. Do not alter, corrupt, or delete platform data or configuration belonging to ARRC Global or any client.
  • Do not disrupt the platform. Do not conduct denial-of-service testing, volumetric load testing, or any activity that degrades platform availability or performance for other users.
  • No automated scanning without consent. Automated vulnerability scanners and crawlers produce significant platform load and noise. If you wish to use automated tooling, contact us first to agree parameters and a testing window.
  • No social engineering. Do not attempt to manipulate, deceive, or coerce ARRC Global staff, clients, or third parties as part of your research.
  • Disclose to us first. Do not publish, share, or disclose a vulnerability to any third party — including other researchers, media, or public forums — before following the disclosure timeline in Section 9 and coordinating with us.
  • Act in good faith. If you encounter a situation during research that you are unsure about, stop and ask. Genuine uncertainty handled transparently is always better than proceeding and inadvertently crossing a line.
08Out-of-Scope Conduct

What disqualifies safe harbour

The following conduct falls outside this policy and will not be covered by the safe harbour protections in Section 6. ARRC Global reserves all legal rights in response to such conduct:

  • Accessing, downloading, copying, or exfiltrating client data beyond the minimum necessary to demonstrate a vulnerability
  • Modifying, encrypting, or deleting platform data or infrastructure
  • Conducting or facilitating denial-of-service, ransom, or extortion attempts
  • Sharing vulnerability details with third parties before coordinated disclosure
  • Selling, trading, or offering vulnerability information to parties other than ARRC Global
  • Conducting physical security testing of ARRC Global premises without explicit written permission
  • Social engineering attacks targeting ARRC Global personnel or clients
  • Research conducted through accounts obtained fraudulently or belonging to other users
  • Publicly disclosing a vulnerability before ARRC Global has had a reasonable opportunity to remediate it
09Disclosure Timeline

Coordinated public disclosure

ARRC Global follows a coordinated disclosure model. We ask researchers to give us a reasonable and proportionate opportunity to remediate before any public disclosure.

  • Standard disclosure window. We request a minimum of 90 days from the date of your initial report before any public disclosure of a validated vulnerability. This is consistent with industry standards followed by major security organisations and research teams.
  • Critical vulnerabilities. For critical vulnerabilities with active exploitation potential, we may request an extended embargo while an emergency fix is developed. We will discuss this with you directly and will not request unreasonable extensions.
  • Unresponsive handler. If ARRC Global fails to acknowledge your report within 5 business days, or fails to respond substantively within 20 business days of acknowledgement, you may proceed with disclosure after notifying us of your intent. We consider this a fair backstop — it creates accountability for us to respond promptly.
  • Coordinated publication. We encourage joint disclosure where researchers wish to publish findings. We will work with you on timing, content, and format. We will not redact details of the vulnerability itself — only information that could enable exploitation before widespread patching.
  • CVE assignment. For qualifying vulnerabilities, ARRC Global will support CVE assignment and will not obstruct the researcher's right to request a CVE identifier.
10Acknowledgement

Recognising researchers who improve VIGIL

Security researchers whose reports lead to validated and remediated vulnerabilities will be offered public acknowledgement on the VIGIL Trust & Security page. Acknowledgement is:

  • Opt-in. We will ask before listing your name. Anonymous disclosure is fully supported and respected — if you prefer not to be named, your contribution will still be recorded internally and will inform our security posture.
  • Attributed accurately. We will list your name or alias as you prefer, a brief description of the category of finding (not the specific vulnerability), and the month and year of disclosure.
  • Permanent. Acknowledgements are not removed when new versions are released. Researchers who contributed to an older version of the platform remain credited.

We do not currently offer financial rewards. We recognise this is a limitation. A formal bug bounty programme with financial rewards is planned as part of the Phase 4 security roadmap. Researchers who contribute now will be credited in that programme's launch acknowledgements.

11Contact

Report a vulnerability

If you have identified a security vulnerability in the VIGIL platform, we want to hear from you. Use the channel below. Do not use public forums, social media, or general support channels to report security issues.

Security Disclosure
Email contact@arrcglobal.com
Subject Line [VIGIL-SECURITY] followed by a brief description
security.txt vigil.arrcglobal.com/.well-known/security.txt
Response SLA Acknowledgement within 5 business days
Entity Anshin Risk and Resilience Consulting Private Limited · Trading as ARRC Global · Pune, Maharashtra, India

For questions about this policy — not vulnerability reports — contact us at the same address with subject line [DISCLOSURE-POLICY]. Policy questions will be responded to within 10 business days.

For general privacy enquiries, refer to our Privacy Policy. For platform terms, refer to our Terms of Use.