Last Modified: February 2026
We are committed to maintaining the security and integrity of our systems and services. We value the contributions of security researchers and encourage responsible vulnerability reporting. This Vulnerability Disclosure Policy (“Policy”) provides guidelines for conducting authorized security research on designated CORAS systems and explains how to report potential vulnerabilities to us.
CORAS Vulnerability Disclosure Policy
Introduction
If you believe you have identified a security vulnerability in an in-scope CORAS system, please report it to Vulnerability@CORAS.com in accordance with this Policy.
Authorization
We authorize good-faith security research conducted in compliance with this policy and limited to systems expressly designated as in-scope. CORAS will not pursue legal action against researchers who conduct security research in good faith and in compliance with this policy.
This authorization does not extend to activities that are malicious, disruptive, unlawful, or inconsistent with the terms of this policy. This policy does not grant permission to violate any applicable law, nor does it override any agreements governing your use of our systems.
CORAS cannot authorize research activity on systems, services, or infrastructure we do not own or operate. If your security research involves third-party networks, systems, information, applications, products or services, that third party may pursue legal or law enforcement action at their discretion. We do not assume responsibility for, cannot defend, indemnify, or protect you from any third-party action based on your research activities.
If a third party contacts us regarding activity conducted in accordance this policy, we may confirm that the activity was authorized by CORAS (as applicable), but we cannot intervene on your behalf.
Scope
This policy applies to the CORAS, CORAS Federal and CORAS Federal IL5 systems (the “In-Scope Systems”).
Security research is authorized only on the In-Scope Systems. Any system or service not expressly identified as in-scope is excluded from this policy and must not be tested. This includes adjacent, integrated, shared, or indirectly connected systems.
Vulnerabilities found in systems owned or operated by third-party vendors–including contractors, hosting providers, or technology partners–are outside the scope of this policy and should be reported directly to the applicable vendor under their own disclosure policy (if any).
If you are unsure whether a system is in scope or not, contact us at Vulnerability@CORAS.com before beginning any testing.
If you believe an out-of-scope system should be considered for testing, please contact us so we can evaluate and advise.
Researcher Guidelines
Under this policy, “security research” means activities conducted in accordance with the following guidelines:
• Promptly notify us upon discovering a real or potential security vulnerability.
• Make every effort to avoid privacy violations, degradation of user experience, disruption of service, or unauthorized access to, alteration of, or destruction of data.
• Use only accounts and data that you own or are expressly authorized to use (e.g., create test accounts). If you identify a vulnerability that may result in access to other users’ data, stop testing immediately and notify us immediately.
• Only use exploits to the extent necessary to confirm the existence of a vulnerability. Do not use an exploit to compromiseor exfiltrate data, establish persistent command line access, escalate privileges beyond what is necessary for validation or pivot to other systems.
• Conduct testing in a manner that does not impairsystem performance or availability.
• Submit reports that are clear, actionable, and relevant to security vulnerabilities. Repeated submission of low-quality or non-security-related reports may be declined.
Sensitive Data Handling
If, during testing, you inadvertently access other users’ data or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must:
• Immediately stop testing;
• Notify us at Vulneravility@CORAS.com;
• Refrain from accessing, copying, downloading, retaining, transmitting, or otherwise using the data; and
• Permanently delete any information inadvertently obtained, unless otherwise instructed by us.
Testing Methods
The following activities are not authorized under this policy:
• Any activity that degrades, impairs, disrupts or otherwise affects system performance or availability, including network denial-of-service attacks (DoS or DDoS).
• Any attempt to alter, damage, corrupt, or destroy systems or data beyond what is strictly necessary to validate the existence of a vulnerability.
• Physical security testing of any kind, including attempts to access buildings, secure areas, or equipment; tailgating; testing locks, sensors, or surveillance; or any in-person intrusion simulation.
• Social engineering of any kind, including phishing, vishing, smishing, impersonation, pretexting, or sending unsolicited communications to employees, contractors, or users.
• Introduction of malicious software, including attempts to deploy malware, ransomware, trojans, worms, or any harmful code into our systems or networks.
• Testing any third-party applications, services, APIs, integrations, or environments, including those linked to or otherwise supporting CORAS systems.
Disclosure Timing
We support coordinated disclosure as a shared responsibility between researchers and vendors.
Researchers agree not to publicly disclose a reported vulnerability until the earlier of: (i) 90 days after we acknowledge receipt ofthe report; or (ii) the date on which we confirm that remediation is available.
The 90-day coordination period begins upon our acknowledgment of receipt of the vulnerability report.
If additional time is reasonably necessary to complete remediation, we may request a reasonable extension. We will communicate openly with the researcher regarding remediation progress and expected timelines.
Researchers are encouraged to coordinate any public disclosure with us to ensure accurate and responsible communication.
Reporting a Vulnerability
Information submitted under this policy will be used solely for defensive and remediation purposes, including investigation, mitigating, and resolving security vulnerabilities.
If your report identifies a vulnerability that may affect a broader user base or shared technology ecosystem, we may share relevant, non-attributed technical details with the Cybersecurity and Infrastructure Security Agency(CISA) or other appropriate coordination bodies as part of a coordinated vulnerability disclosure process. When doing so, we will not share your name or contact information without your express permission.
We may also coordinate with impacted vendors, partners, or service providers as needed to investigate and facilitate remediation.
Vulnerability reports may be submitted to Vulnerability@CORAS.com. Reports may be submitted anonymously.
Expectations
To help us in triaging and prioritizing submissions, we recommend that your reports include:
• The location where the vulnerability was discovered and the potential impact of exploitation.
• A detailed description of the steps needed to reproduce the vulnerability, including proof-of-concept scripts, screenshots, or test account details where applicable.
• Be in English, where possible.
What you can expect from us:
When you choose to share your contact information with us, we commit to coordinating with you in good faith and in a timely manner.
• We will, to the extent practicable, validate thereported vulnerability and communicate status updates during the remediation process.
• We will maintain reasonable communication with you regarding remediation progress and coordinated disclosure timing.
Questions?
Questions regarding this policy, clarification of scope, or suggestions for improvement may be directed to Vulnerability@CORAS.com.
