Back to Home

Security Policy

Astraea-Pro · Responsible Disclosure & Quarterly RLS Audit

Last Reviewed:April 15, 2025
Next Review Due:July 14, 2025
View security.txt

Our Commitment to Security

Astraea-Pro handles sensitive legal and therapeutic data. We take security seriously and welcome responsible disclosure from security researchers who identify vulnerabilities in our platform.

We follow a 90-day coordinated disclosure model. We will not pursue legal action against researchers who act in good faith and follow the guidelines below.

How to Report a Vulnerability

Primary Contact

gratienceltd@gmail.com

Preferred for all security reports

Response Time

Initial acknowledgement within 48 hours

Full remediation within 90 days

Please include in your report:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Affected URL, endpoint, or component
  • Any proof-of-concept code or screenshots (redact sensitive data)
  • Your preferred contact method for follow-up

Scope

In Scope

  • astraealegaltech.ca and all subdomains
  • Supabase Edge Functions (Gemini proxy, auth flows)
  • Authentication and session management
  • Data access control and RLS policies
  • Input sanitization and injection vulnerabilities
  • Sensitive data exposure in API responses

Out of Scope

  • Third-party services: Supabase, Google, Stripe, ElevenLabs
  • Social engineering attacks against staff
  • Physical security
  • Denial of service (DoS/DDoS)
  • Vulnerabilities requiring physical device access
  • Issues in outdated browsers not officially supported

Safe Harbour

We will not pursue legal action against researchers who:

  • Act in good faith to identify and report vulnerabilities
  • Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability
  • Do not disrupt platform availability or degrade user experience
  • Allow us 90 days to remediate before public disclosure
  • Do not use the vulnerability for personal gain

Note: This safe harbour applies only to security research conducted in accordance with this policy. Malicious exploitation of vulnerabilities is not covered.

Severity Classification & Response SLAs

SeverityExamplesResponse SLA
CriticalRLS bypass, auth bypass, mass data exposure24 hours
HighPrivilege escalation, stored XSS, IDOR7 days
MediumReflected XSS, CSRF, information leakage30 days
LowMissing headers, verbose errors, minor misconfigs90 days
Privacy PolicyTerms of Servicesecurity.txt