Responsible Disclosure

We take security seriously. If you've found a vulnerability in our software or infrastructure, please tell us before going public.

Report a vulnerability

Email us at contact@provnai.com with a clear description of the issue, reproduction steps, and potential impact. We will acknowledge as quickly as possible.

PGP key available on request.

Scope

In scope: McpVanguard (github.com/provnai/mcp-vanguard), VEX Protocol (private pilot — contact us for scope details), provnai.com, and provnai.dev. Out of scope: third-party dependencies, social media accounts, and theoretical issues without demonstrated impact.

What we ask

Give us reasonable time to investigate and patch before public disclosure. Do not access, modify, or delete data belonging to other users. Do not perform denial-of-service attacks or automated scanning without prior agreement.

What we offer

We will acknowledge your report as quickly as possible, provide a status update within 7 days, and credit you in public release notes if you wish. We do not currently offer a paid bug bounty program, but we appreciate responsible disclosure deeply.

Our commitment

We will not pursue legal action against researchers who follow this policy and act in good faith. We will keep you informed about the status of your report throughout the remediation process.