Responsible Disclosure

How to report a security vulnerability, what's in scope, and what to expect from us.

Responsible Disclosure Policy

Xalerate AB welcomes reports from security researchers and customers who discover potential vulnerabilities in Brain Orchestra. This policy explains how to report an issue, what's in scope, and what you can expect from us.

Effective date: May 30, 2026

How to report

Email security@xalerate.com with:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce (proof-of-concept, request/response samples, or a short script).
  • The affected endpoint, domain, or component.
  • Your contact details so we can follow up.

If you need to share sensitive material, mention it in your first email and we'll arrange an encrypted channel.

You can also find this contact in our machine-readable security policy at /.well-known/security.txt.

Our commitment to you

  • Acknowledgement within 2 business days of your report.
  • Triage + initial assessment within 5 business days, including a severity classification and expected remediation timeline.
  • Progress updates at least every 10 business days until resolution.
  • Credit — with your permission, we're happy to acknowledge your contribution once the issue is fixed.

Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will:

  • Consider your activity authorised and will not pursue or support legal action against you for it.
  • Work with you to understand and resolve the issue quickly.

Good faith means: you avoid privacy violations, data destruction, and service degradation; you only interact with accounts you own or have explicit permission to test; and you give us a reasonable opportunity to remediate before any public disclosure.

Scope

In scope

  • api.brainorchestra.ai — the gateway API.
  • app.brainorchestra.ai — the customer dashboard.
  • brainorchestra.ai — the public website.
  • Authentication, tenant isolation, the audit pipeline, PII handling, BYOK secret storage, billing, and access-control logic.

Out of scope

  • Findings that require physical access to a user's device, or social-engineering of Xalerate staff or customers.
  • Denial-of-service / volumetric attacks, and any testing that degrades service for other customers.
  • Issues in third-party sub-processors' own infrastructure (report those to the sub-processor; see our sub-processor list).
  • Reports from automated scanners without a demonstrated, exploitable impact.
  • Missing security headers or best-practice hardening with no demonstrated exploit (we still appreciate the heads-up, but they're triaged at a lower priority).

What we ask

  • Give us reasonable time to remediate before public disclosure (typically 90 days, sooner for low-severity issues; we'll agree a timeline with you).
  • Do not access, modify, or retain customer data beyond the minimum needed to demonstrate the vulnerability.
  • Do not run tests that could degrade the service for other customers.

Encryption

For sensitive disclosures we can provide a PGP key on request. Email security@xalerate.com to arrange it.

Brain Orchestra is a product of Xalerate AB. This policy may be updated as our security programme matures; the effective date above reflects the current version.

Terms of ServicePrivacy PolicyData Processing AgreementSub-processorsQuestions about these terms? support@xalerate.com