27.1.1 Responsible Disclosure Template

2025.10.06.
AI Security Blog

A responsible disclosure policy is a foundational document for any organization deploying AI systems. It establishes a clear, safe, and structured channel for security researchers, ethical hackers, and AI red teamers to report vulnerabilities. This template provides a comprehensive starting point for creating your own policy, tailored to the unique challenges of AI security.

Using This Template

This document is a generic template. You must adapt it to your organization’s specific context, legal requirements, and technical infrastructure. Replace all bracketed placeholders (e.g., [Organization Name]) with your information. Review each section carefully with your legal and security teams before publishing.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

Responsible Disclosure Policy for [Organization Name]

Policy Version: [e.g., 1.0]

Last Updated: [Date]

1. Our Commitment to Security

At [Organization Name], we are committed to the security and integrity of our systems, especially our AI and machine learning models. We value the expertise of the independent security research community and believe that a collaborative approach is essential for identifying and mitigating potential risks. This policy outlines our process for receiving and responding to vulnerability reports and our commitments to the researchers who submit them.

2. Scope

This policy applies to security vulnerabilities found within the following systems and services:

In-Scope Assets

  • Production APIs: api.example.com/v1/model-alpha, inference.example.com/*
  • Web Applications: [app.example.com], [portal.example.com]
  • Specific AI Models: Vulnerabilities related to prompt injection, data leakage, adversarial attacks, or denial-of-service against Model Version [e.g., model-zeta-v2.3].
  • Data Processing Pipelines: Systems responsible for data ingestion and preprocessing, if publicly exposed.
  • Open Source Libraries: Any open-source libraries we maintain, located at [github.com/OrgName].

Out-of-Scope Assets

Any service not explicitly listed above is out of scope. In particular, the following are strictly prohibited:

  • Corporate IT infrastructure (e.g., email servers, internal wikis).
  • Denial of Service (DoS or DDoS) attacks against any asset.
  • Social engineering or phishing of our employees, contractors, or customers.
  • Physical attacks against our offices or data centers.
  • Reports from automated scanners without manual validation of a vulnerability.
  • Attacks that could degrade model performance for other users or poison training data.

3. How to Submit a Report

If you believe you have discovered a security vulnerability in one of our in-scope assets, please report it to us as quickly as possible. We encourage encrypted communication.

  • Primary Contact: Email us at [security@example.com].
  • PGP Key: [Link to Public PGP Key]

Vulnerability Report Format

To help us triage and validate your finding efficiently, please include the following information in your report:

## AI Vulnerability Report ##

1.  **Summary:** A concise, one-sentence summary of the vulnerability.
    (e.g., "Indirect prompt injection allows arbitrary instruction execution on model-zeta-v2.3")

2.  **Affected Asset(s):** The specific API endpoint, model version, or URL.

3.  **Vulnerability Type:** (e.g., Prompt Injection, Data Leakage, Model Evasion, Denial of Service, Insecure Direct Object Reference).

4.  **Steps to Reproduce:** Detailed, step-by-step instructions, including any specific inputs, prompts, or code.

5.  **Proof-of-Concept (PoC):**
    - For API issues: A cURL request or Python script.
    - For prompt injection: The full prompt and the model's output.
    - For UI issues: Screenshots or a video.

6.  **Impact:** A clear explanation of the potential impact of the vulnerability.
    (e.g., "An attacker could bypass content filters to generate harmful content," or "The vulnerability leaks personally identifiable information from the model's training data.")

4. Our Process and Commitments

We are dedicated to a transparent and fair process for all researchers.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be authorized and will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. You are expected to comply with all applicable laws and, as part of this, not to view, alter, or exfiltrate any data that is not your own.

Response Timelines

We will use our best efforts to meet the following service-level agreements (SLAs) for reports on in-scope assets:

Stage Target Timeline Description
Initial Acknowledgement Within 2 business days We will confirm receipt of your report.
Triage & Validation Within 5 business days Our team will validate the vulnerability and determine its severity.
Remediation Within 90 days We will work on a fix. For complex AI issues, this may take longer, and we will maintain communication.
Public Disclosure We request that you do not publicly disclose the vulnerability until we have confirmed it is patched, or after 90 days have passed.

5. Rules of Engagement

To protect our systems and users, you must adhere to the following rules:

  • Stop testing and report to us immediately if you encounter any user data that is not your own.
  • Do not engage in any activity that could disrupt, damage, or degrade our services or user experience.
  • Do not perform resource-intensive queries that could be interpreted as a Denial of Service attack. Limit your requests to a reasonable rate.
  • Do not attempt to pivot from a vulnerability in an in-scope system to an out-of-scope system.
  • You must not violate any applicable laws or regulations.

6. Rewards and Recognition (Optional)

[This section is optional. If you have a bug bounty program, detail it here. If not, you can still offer recognition.]

We deeply appreciate the contributions of security researchers. For valid, in-scope vulnerability reports, we may offer:

  • Monetary Bounties: We offer bounties based on the severity and impact of the vulnerability. [Link to bounty tiers, if applicable].
  • Hall of Fame: With your permission, we will list your name or handle on our Security Hall of Fame page.

26.5.5 SDK usage examples

2025.10.06.

27.1.2 Ethical Guidelines

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist