1. Purpose and Commitment
1.1 Purpose Statement
Elnora AI, Inc ("Elnora AI") is committed to maintaining the security and integrity of our AI-powered platform for the pharmaceutical and life sciences industry. This Vulnerability Disclosure Policy ("Policy") establishes a framework for security researchers, customers, and the public to report potential security vulnerabilities in our systems responsibly.
We believe that coordinated vulnerability disclosure is essential to maintaining the trust of our pharmaceutical and life sciences customers who rely on our platform for sensitive research data.
1.2 Scope of Systems
In-Scope Systems:
This Policy covers the following internet-facing systems, applications, and services operated by Elnora AI:
| Category | Systems |
|---|---|
| Web Applications | *.elnora.ai domains and subdomains |
| API Endpoints | REST and GraphQL API endpoints |
| Authentication | Authentication and authorization flows |
| Customer Portal | Customer-facing dashboards and interfaces |
| Public Infrastructure | Publicly exposed AWS services, API gateway configurations |
Out-of-Scope Systems:
The following are explicitly excluded from this Policy:
| Category | Systems | Report To |
|---|---|---|
| AI Model Behavior | Jailbreaks, prompt injections, hallucinations, model bias, output accuracy | security@elnora.ai (will be triaged separately) |
| Third-Party Infrastructure | AWS, Azure, GCP physical/hypervisor vulnerabilities | Respective cloud providers |
| AI Provider Systems | OpenAI, Anthropic, or other AI provider vulnerabilities | Respective providers |
| Customer Systems | Customer-owned networks, systems, or data | Not our systems |
| Physical Security | Physical premises, facilities, or devices | Not covered by this Policy |
1.3 Scope of Vulnerabilities
In-Scope Vulnerabilities:
We accept reports for the following categories of security vulnerabilities:
Tier 1 - Critical (Immediate Priority):
- Authentication and authorization bypasses
- Multi-tenant data isolation failures
- Remote code execution (RCE)
- SQL injection with data exfiltration potential
- Customer data cross-contamination
- Unencrypted sensitive data transmission
- Cryptographic key exposure or misconfiguration
Tier 2 - Standard Web Application Security:
- Injection vulnerabilities (SQL, NoSQL, command, LDAP, XML/XXE)
- Cross-site scripting (XSS) - stored, reflected, DOM-based
- Cross-site request forgery (CSRF/XSRF)
- Server-side request forgery (SSRF)
- Privilege escalation
- Insecure direct object references (IDOR)
- Broken object level authorization (BOLA)
- Security misconfigurations (exposed debug endpoints, default credentials)
Tier 3 - Infrastructure:
- Local file inclusion (LFI) / Path traversal
- Session fixation or hijacking
- Known vulnerable dependencies (exploitable in our context)
- API rate limit bypasses with security implications
Out-of-Scope Vulnerabilities:
The following are not covered by this Policy:
- AI model safety issues (prompt injection, jailbreaks, hallucinations, bias)
- General security best practice gaps without proof-of-concept exploit
- Physical security compromises or intrusions
- Social engineering, phishing, or vishing attacks
- Denial of service (DoS/DDoS) attacks
- Rate limiting on unauthenticated endpoints
- Self-XSS requiring victim interaction beyond clicking a link
- Clickjacking without demonstrated sensitive action impact
- Missing security headers without exploitable vulnerability
- Software version disclosure
- SSL/TLS best practice recommendations without exploitable weakness
- Email enumeration (acceptable for B2B SaaS)
- Dependency vulnerabilities without demonstrated exploitability in our context
- Zero-day vulnerabilities in third-party software that have been patched within 30 days
2. How to Report Vulnerabilities
2.1 Contact Information
Primary Contact:
- Email: security@elnora.ai
Machine-Readable Policy:
- security.txt: https://elnora.ai/.well-known/security.txt
2.2 Required Information
When submitting a vulnerability report, please include the following information:
| Field | Description | Required |
|---|---|---|
| Vulnerability Type | Category of vulnerability (e.g., XSS, SQL injection) | Yes |
| Severity Assessment | Your assessment of impact (Critical/High/Medium/Low) | Yes |
| Affected System | Specific URL, endpoint, or system affected | Yes |
| Summary Description | Brief description of the vulnerability | Yes |
| Technical Details | Detailed technical explanation | Yes |
| Reproduction Steps | Step-by-step instructions to reproduce | Yes |
| Proof-of-Concept | Screenshots, videos, logs, or code demonstrating the issue | Yes |
| Potential Impact | Description of potential business or security impact | Recommended |
| Remediation Suggestions | Your recommendations for fixing the issue | Recommended |
| Your Contact Information | Email address for follow-up communications | Yes |
Submission Guidelines:
- Submit one vulnerability per report
- Use clear, concise language
- Include all relevant technical details
- Redact any sensitive data in screenshots or logs
- Do not include actual customer data in reports
3. Safe Harbor Statement
3.1 Legal Protections
Elnora AI, Inc will not initiate legal action against security researchers who:
- Act in Good Faith: Conduct research consistent with this Policy
- Avoid Harm: Do not cause damage to systems, data, or operations
- Respect Privacy: Do not access, download, or retain user data, Protected Health Information (PHI), or customer research data
- Report Responsibly: Submit findings through designated channels and allow reasonable time for remediation before any public disclosure
- Minimize Impact: Use the minimum access necessary to demonstrate a vulnerability
3.2 Conditions for Safe Harbor
Safe harbor protection applies provided the researcher:
- Does not exploit vulnerabilities beyond proof-of-concept demonstration
- Does not engage in extortion, threats, or conditional disclosure
- Is not on OFAC sanctions lists or subject to other legal restrictions
- Complies with all applicable laws during research
- Does not access, modify, or exfiltrate production customer data
- Follows the testing guidelines outlined in Section 5
3.3 CFAA Authorization Statement
We consider activities conducted consistent with this Policy to be "authorized" conduct under the Computer Fraud and Abuse Act (CFAA). We will not pursue civil or criminal action, or support any third-party action, against researchers who comply with this Policy.
To the extent your security research is subject to restrictions imposed by contracts with Elnora AI (such as Terms of Service), we waive those restrictions to the extent necessary to permit your security research under this Policy.
3.4 Exclusions from Safe Harbor
Safe harbor protection does not extend to:
- Testing conducted outside the scope defined in this Policy
- Activities that violate applicable laws
- Actions that harm Elnora AI customers, users, or third parties
- Disclosure to third parties before coordinated public disclosure
- Attempts to extort payment or other benefits
4. What to Expect from Elnora AI
4.1 Response Timeline
| Stage | Timeline | Description |
|---|---|---|
| Initial Acknowledgment | 3 business days | Confirmation of receipt and tracking ID assignment |
| Triage Completion | 5 business days | Validation and initial severity assessment |
| Status Updates | Every 14 days | Progress updates until resolution |
4.2 Remediation Timeline
Elnora AI commits to the following remediation timelines based on validated severity:
| Severity | CVSS Score | Remediation Target | Disclosure Timeline |
|---|---|---|---|
| Critical | 9.0 - 10.0 | 30 days | 45 days post-fix |
| High | 7.0 - 8.9 | 30 days | 45 days post-fix |
| Medium | 4.0 - 6.9 | 60 days | 90 days post-fix |
| Low | 0.1 - 3.9 | 90 days | 120 days post-fix |
4.3 Communication Commitments
Elnora AI will:
- Take all good-faith reports seriously
- Evaluate findings promptly and thoroughly
- Validate vulnerabilities with researchers when needed
- Take appropriate remediation steps
- Protect researcher identity unless consent is provided
- Acknowledge submissions within the stated timeline
- Maintain regular communication throughout investigation
- Notify researchers when vulnerabilities are remediated
4.4 Exception Handling
If a vulnerability cannot be remediated within the standard timeline, Elnora AI will:
- Document a risk treatment plan
- Communicate the extended timeline to the researcher
- Provide regular status updates
- Consider compensating controls
5. Rules of Engagement
5.1 Permitted Testing Activities
Researchers are permitted to:
- Test using their own accounts or designated test accounts
- Perform reconnaissance using public DNS enumeration, security header analysis, and SSL/TLS configuration review
- Submit non-destructive proof-of-concept demonstrations
- Create test data (which will be deleted after validation)
- Attempt authorization bypasses against their own resources
- Conduct API fuzzing within documented rate limits
5.2 Prohibited Activities
The following activities are strictly prohibited:
Data Integrity:
- Modifying or deleting customer data
- Accessing other customers' research data
- Corrupting AI models or training data
- Tampering with scientific results or outputs
Service Disruption:
- Denial of service attacks
- Resource exhaustion
- Flooding or spam attacks
- Intentional service degradation
Unauthorized Access:
- Accessing customer accounts without explicit permission
- Exfiltrating real pharmaceutical or research data
- Pivoting to internal AWS resources
- Social engineering employees, contractors, or customers
Destructive Testing:
- Running automated scanners without prior approval
- Exploiting vulnerabilities beyond proof-of-concept
- Chaining vulnerabilities for deeper unauthorized access
- Physical security testing
5.3 Data Handling Requirements
Production Data Protection:
Given the sensitivity of pharmaceutical research data, researchers must:
- Stop Immediately if customer data exposure is discovered
- Do Not Download, Store, or View customer research data
- Report the Vulnerability without accessing the data
- Delete Immediately any accidentally cached data
Regulatory Compliance:
Pharmaceutical research data may be subject to:
- FDA regulations (drug development data)
- Export control (ITAR/EAR for certain compounds)
- Customer NDAs and IP agreements
- HIPAA (Protected Health Information)
Unauthorized access may have legal consequences beyond this Policy.
5.4 Third-Party Scope Exclusions
Do not test systems belonging to:
- Our customers or their partners
- AWS, Azure, GCP, or other cloud providers
- OpenAI, Anthropic, or other AI providers
- Any subservice organizations listed in our SOC 2 report
Report vulnerabilities in these systems directly to the respective organizations.
6. AI-Specific Considerations
6.1 Security vs. Safety Distinction
Elnora AI distinguishes between infrastructure security vulnerabilities and AI model safety issues:
| Type | Examples | Reporting Channel |
|---|---|---|
| Security Vulnerabilities (In-Scope) | Authentication bypass, SQL injection, XSS, SSRF, data exposure | security@elnora.ai |
| AI Safety Issues (Out-of-Scope for this Policy) | Jailbreaks, prompt injections, harmful content generation, hallucinations | security@elnora.ai (subject: "AI Safety Issue") |
6.2 AI Model Out-of-Scope Items
The following AI-related issues are not covered by this Vulnerability Disclosure Policy:
- Prompt injection or jailbreak attempts
- Model hallucinations or factual inaccuracies
- AI output that bypasses content policies
- Adversarial examples affecting model behavior
- Training data extraction (unless via infrastructure vulnerability)
- Model bias or fairness concerns
- AI output accuracy issues
6.3 Reporting AI Safety Issues
AI safety issues should be reported to security@elnora.ai with the subject line "AI Safety Issue" and will be triaged separately from infrastructure security vulnerabilities.
7. Regulatory Considerations
7.1 GDPR Data Breach Connection
If a reported vulnerability involves actual or potential unauthorized access to personal data of EU residents, Elnora AI will:
- Assess whether the vulnerability constitutes a personal data breach under GDPR Article 4(12)
- If applicable, notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- Notify affected data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms
7.2 HIPAA PHI Handling
Vulnerabilities involving Protected Health Information (PHI):
- Researchers MUST NOT access, view, copy, or exfiltrate any PHI during testing
- Reports suggesting potential PHI exposure will be treated as potential HIPAA incidents and escalated per our Incident Response Plan
- Discovery of PHI in vulnerability reports will trigger our HIPAA Breach Procedures (4-hour notification to Security/Privacy Officer)
7.3 Breach Notification Triggers
Security vulnerabilities reported through this program may trigger breach notification requirements under:
- GDPR Article 33 (72-hour notification)
- HIPAA 164.308(a)(6) (60-day notification to affected individuals)
- CCPA (California Consumer Privacy Act)
- NY Data Security Law / 23 NYCRR 500
- Customer contractual commitments
Elnora AI will make breach determinations in accordance with applicable law and our Incident Response Plan.
8. Disclosure and Credit
8.1 Coordinated Disclosure Process
Elnora AI practices coordinated disclosure:
- Researcher reports vulnerability via designated channels
- Elnora AI acknowledges receipt within 3 business days
- Elnora AI validates and classifies severity within 5 business days
- Elnora AI remediates according to severity timelines
- Researcher validates fix in production (upon request)
- Public disclosure coordinated between researcher and Elnora AI
8.2 Public Disclosure Conditions
Public disclosure may occur:
- After Elnora AI has deployed a fix and customers have had reasonable time to update
- With explicit mutual agreement between researcher and Elnora AI
- After the standard disclosure timeline has elapsed (per Section 4.2)
- Earlier if there is evidence of active exploitation in the wild
Exception: Disclosure may be delayed if:
- The vulnerability affects multiple organizations requiring coordination
- Active exploitation would cause significant harm to customers
- Regulatory or law enforcement considerations apply
8.3 Researcher Credit and Recognition
With researcher consent, Elnora AI will:
- Credit the researcher in our Security Acknowledgments page
- Include researcher name (or alias) in security advisories
- Provide a letter of acknowledgment upon request
Published Information (with consent):
- Researcher name or preferred alias
- General vulnerability category (not technical details)
- Month and year of responsible disclosure
Prohibited from Publication:
- Specific vulnerability details until coordinated disclosure
- Customer impact information
- Internal system architecture details
8.4 Hall of Fame
Researchers who responsibly disclose valid vulnerabilities may be recognized on our Security Acknowledgments page at https://elnora.ai/security/acknowledgments (upon implementation).
9. Recognition Program
9.1 Eligibility Criteria
Elnora AI does not currently operate a paid bug bounty program. However, we deeply appreciate the contributions of security researchers and offer:
- Public acknowledgment (with consent)
- Letters of appreciation for professional portfolios
- First consideration for future paid program participation
9.2 Future Bug Bounty Program
Elnora AI may implement a paid bug bounty program in the future. Interested researchers can express interest to security@elnora.ai to be notified when such a program launches.
10. Integration with Security Program
10.1 Incident Response Integration
Vulnerability reports received through this program are processed according to our Incident Response Plan:
| VDP Severity | CVSS Score | IRP Severity | Initial Response |
|---|---|---|---|
| Critical | 9.0 - 10.0 | P0 | Immediate escalation to IT/Engineering management |
| High | 7.0 - 8.9 | P1 | Support ticket + manager notification |
| Medium | 4.0 - 6.9 | P2 | Support ticket assigned to appropriate team |
| Low | 0.1 - 3.9 | P3 | Scheduled for regular maintenance cycle |
10.2 Documentation
All VDP reports are documented in our ticketing system with:
- Unique tracking ID (VDP-YYYY-NNN format)
- Incident collection form per our Incident Response Plan
- Root cause analysis for verified Critical/High vulnerabilities
- Evidence preservation per NIST SP 800-86 guidance
10.3 Vendor Security (Subservice Organizations)
Vulnerabilities discovered in our subservice organizations (AWS, Google Workspace, etc.) should be reported directly to those organizations. Elnora AI is not responsible for vulnerabilities in third-party systems beyond our control.
11. Legal Considerations
11.1 Applicable Law
This Policy and any disputes arising from it shall be governed by the laws of the State of Delaware, United States.
11.2 Researcher Representations
By submitting a vulnerability report, you represent that:
- You have the legal authority to disclose the vulnerability
- You have not violated any laws in discovering the vulnerability
- You will not disclose the vulnerability to third parties until coordinated disclosure
- You are not subject to any restrictions that would prohibit your participation
11.3 Sanctions Compliance
Researchers must not be on any OFAC sanctions list or subject to other legal restrictions that would prohibit Elnora AI from receiving reports or providing acknowledgment.
11.4 No Employment Relationship
Participation in this program does not create an employment, contractor, or agency relationship with Elnora AI.
12. Policy Administration
12.1 Version History
| Version | Date | Description | Author | Approver |
|---|---|---|---|---|
| 1.0 | December 28, 2025 | Initial Policy | Carmen Kivisild | Carmen Kivisild |
12.2 Contact for Questions
For questions about this Policy before conducting research:
- Email: security@elnora.ai
- Subject Line: "VDP Policy Question"
Thank you for helping us keep Elnora AI secure.