Responsible Disclosure

At Aurelius, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.


This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues.


If you've discovered a vulnerability, follow the guidelines below to report it to our security team:

Please follow these rules when testing/reporting vulnerabilities:
  • Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.
  • Do not read, modify or delete data that isn't your own.
  • Do not store, share, compromise or destroy any Aurelius data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Aurelius.
  • The scope of the program is limited to technical vulnerabilities in Aurelius web applications, websites and APIs, please do not try to test physical security or attempt phishing attacks against our employees, and so on.
  • Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, and do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.
  • Do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
  • Do not conduct fraudulent activity or complete fraudulent financial transactions as part of your research.
  • Don’t cause harm to Aurelius, its customers, shareholders, partners or employees.
  • Don’t engage in any act that may cause an outage or stop any of Aurelius' applications or services.
  • Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
What we promise:
  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non-compliance, we reserve all of our legal rights.
  • We will do our best to keep you informed during all stages of resolving the problem.