VULNERABILITY DISCLOSURE POLICY

Coordinated security vulnerability reporting

The ARTEMIS Platform — operated by CAI Technology S.R.L.

Aligned with ISO/IEC 29147:2018, RFC 9116, NIS2 Directive (EU 2022/2555), Romanian Law no. 58/2023 and GEO no. 155/2024.

Version: v1.0 ARTEMIS • Published on: 2026-05-06 • Effective from: 2026-05-06

1. Scope

This Vulnerability Disclosure Policy ("VDP") covers security research conducted on the ARTEMIS Platform and its publicly accessible components, as further detailed below.

1.1. Assets in scope

• the main Platform at https://artemis.caitech.ro and its sub-domains owned by CAI Technology S.R.L.;
• the public REST APIs and authenticated GraphQL endpoints;
• the mobile applications (iOS / Android), if published;
• the public infrastructure of the Platform (CDN, DNS, e-mail gateways) operated by CAI Technology S.R.L..

1.2. Assets EXCLUDED from scope

The following are NOT covered by this policy:

• subprocessor systems (AWS, Azure, Stripe, etc.) — report directly to them, in accordance with their policies;
• systems of CAI Technology S.R.L. clients;
• third-party websites or applications that merely link to ARTEMIS;
• vulnerabilities already known, previously reported, and currently being remediated.

2. Safe harbor

CAI Technology S.R.L. will not initiate legal action and will not report to authorities researchers who, in good faith, comply with the following rules:

• only their own account or specifically-created test accounts have been touched for the demonstration;
• they did not access, modify, or destroy other Users' data;
• they did not exfiltrate data beyond the minimum needed for proof-of-concept;
• they did not perform DoS / DDoS / brute-force / spam attacks;
• they did not engage in social engineering against CAI Technology S.R.L. personnel;
• they did not publicly disclose vulnerability details before remediation;
• they observed the coordinated-disclosure timeline (see Section 5).

Researchers who comply with these rules are protected by safe harbor: CAI Technology S.R.L. undertakes not to initiate civil or criminal action, not to request criminal investigation, and not to block access to the Platform during coordinated testing.

3. How to report

Vulnerability reports are received exclusively through:

• e-mail to office@caitech.ro;
• PGP-encrypted e-mail using the key published at https://artemis.caitech.ro.well-known/pgp-key.asc;
• the security.txt file at https://artemis.caitech.ro.well-known/security.txt.

3.1. Report contents

To accelerate triage, please include in your report, where possible:

• a description of the vulnerability and its potential impact;
• the affected component (URL, endpoint, parameter);
• detailed steps to reproduce (proof-of-concept);
• CVSS 3.1 / 4.0 classification, if available;
• remediation recommendations (optional);
• how you would like to be credited (anonymous, pseudonymous, real name).

4. Out-of-scope issues (as a rule)

The following types of reports are generally out of scope and will not be rewarded — even if, in context, they may become relevant:

• absence of security headers (HSTS, CSP, X-Frame-Options) without practical impact demonstration;
• theoretical issues without practical demonstration;
• issues affecting outdated browser versions (below IE 11 or equivalent);
• self-XSS, social engineering, phishing of users;
• known vulnerabilities in open-source libraries used by the Platform (report upstream);
• rate-limiting absent on public forms (except in cases of demonstrated commercial abuse);
• DMARC/SPF misconfiguration not practically exploitable;
• public, non-sensitive information disclosure;
• clickjacking on pages without impactful actions.

5. Coordinated disclosure timeline

CAI Technology S.R.L. commits to the following timelines:

• report receipt confirmation: within 48 business hours;
• initial triage and classification: 5 business days;
• remediation plan and timeline communicated to the reporter: 14 days;
• remediation of critical vulnerabilities (CVSS ≥ 9.0): 30 days;
• remediation of major vulnerabilities (CVSS 7.0–8.9): 60 days;
• remediation of medium vulnerabilities (CVSS 4.0–6.9): 90 days;
• remediation of minor vulnerabilities (CVSS < 4.0): 180 days;
• public disclosure (CVE): coordinated with the reporter after remediation; no later than 90 days from confirmed remediation, unless the reporter agrees otherwise.

If timelines cannot be met, CAI Technology S.R.L. transparently communicates the reasons and a revised schedule.

6. Rewards (bug bounty)

CAI Technology S.R.L. does not currently operate a public, monetary bug-bounty program. However, valid and constructive reports may receive non-monetary recognition: inclusion in the public Hall of Fame, signed certificates, and CAI Technology S.R.L. merchandise. The decision is taken case-by-case based on impact, novelty, and report quality.

7. Legal framework

This procedure is aligned with:

• ISO/IEC 29147:2018 — Vulnerability disclosure;
• ISO/IEC 30111:2019 — Vulnerability handling processes;
• RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure (security.txt);
• Directive (EU) 2022/2555 (NIS2) — coordinated vulnerability management;
• Romanian Law no. 58/2023 on cybersecurity in Romania and GEO no. 155/2024 (NIS2 transposition);
• Regulation (EU) 2024/2847 (Cyber Resilience Act) — within applicability limits.

8. Hall of Fame / acknowledgements

With the researchers' consent, CAI Technology S.R.L. publishes, at /security/hall-of-fame, a list of those who contributed to improving the Platform's security. Anonymization or pseudonymization is optional, at the reporter's request.

9. Contact

Security team: office@caitech.ro

PGP key: https://artemis.caitech.ro.well-known/pgp-key.asc

security.txt: https://artemis.caitech.ro.well-known/security.txt

For personal data (GDPR breaches): dpo@caitech.ro

To report to DNSC (when required by law): https://dnsc.ro/

Acknowledgements. CAI Technology S.R.L. thanks the security researchers who contribute, in good faith, to protecting the Platform and its Users. Security is a collective effort.