Responsible Disclosure Policy

1. Our Commitment

BatchCortex takes security seriously. We operate in GMP-regulated pharmaceutical environments where data integrity is non-negotiable. If you discover a vulnerability, we want to hear from you.

2. Scope

This policy covers:

• batchcortex.com and all subdomains
• The BatchCortex edge agent software
• BatchCortex API endpoints
• Authentication and session management

3. How to Report

Email: vilmer@batchcortex.com

Subject line: [SECURITY] Brief description

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Your contact details (optional)

4. Our Commitment to You

• Acknowledge your report within 48 hours
• Provide a status update within 7 days
• Not pursue legal action against researchers acting in good faith
• Credit you publicly if you wish after the issue is resolved

5. Rules of Engagement

• Do not access, modify, or delete customer data
• Do not perform denial of service attacks
• Do not social engineer BatchCortex staff or customers
• Test only against your own account or our demo environment

6. Out of Scope

• Theoretical vulnerabilities without proof of concept
• Social engineering attacks
• Physical security issues at customer sites