9 Realms Cybersecurity

Security

Responsible Disclosure Policy

Last updated: March 2026

Our Commitment

9 Realms Security takes the security of our systems and our clients' data seriously. We welcome reports from security researchers who identify vulnerabilities in our web properties, client portal, or public-facing infrastructure.

We commit to working with researchers in good faith to understand, validate, and remediate reported findings. We will not pursue legal action against researchers who follow the guidelines in this policy.

Scope

The following assets are in scope for responsible disclosure:

  • 9realmssecurity.com and all subdomains
  • The 9 Realms Security client portal
  • Any other internet-accessible service operated by 9 Realms Security

How to Report

Send vulnerability reports to security@9realmssecurity.com. Please include as much detail as possible to help us reproduce and validate the finding.

A useful report includes: a clear description of the vulnerability, the asset or URL affected, steps to reproduce the issue, any tools or proof-of-concept code used, and your assessment of potential impact.

If your report contains sensitive data or credentials discovered during testing, please encrypt your message using PGP. Contact us first and we will provide a public key.

What to Expect

We will acknowledge receipt of your report within two business days.

We will provide an initial assessment of validity and severity within five business days where possible. For complex findings, we will communicate the timeline for our review.

We will keep you informed as we work through remediation and will notify you when the issue is resolved. We ask for a reasonable disclosure window — typically 90 days from initial report — before public disclosure.

While we do not currently operate a paid bug bounty program, we are grateful for good-faith disclosures and happy to provide public acknowledgment with your permission.

Safe Harbor

We will not pursue civil or criminal action against researchers who discover and report security vulnerabilities in good faith and in accordance with this policy.

Good faith means: conducting research only on in-scope systems, not accessing or modifying client data beyond what is needed to demonstrate the vulnerability, not causing disruption to our services or clients, and reporting promptly without exploiting the vulnerability for personal gain.

Out of Scope

The following activities are out of scope and will not be treated as good-faith research:

  • Denial-of-service attacks or any testing that degrades service availability
  • Social engineering of 9 Realms Security staff or clients
  • Physical security testing
  • Accessing, downloading, or modifying client data beyond what is minimally necessary to demonstrate the vulnerability
  • Automated scanning tools that generate significant traffic volumes against production systems
  • Submitting vulnerabilities in third-party software or services we rely on that are not under our control

Questions about this policy? security@9realmssecurity.com or read our Security Practices.