Vulnerability Disclosure Policy

diezX takes the security of our customers, our users, and the integrity of our platform seriously. We welcome security research that helps us identify and resolve vulnerabilities responsibly. This policy outlines how to report vulnerabilities to us, what to expect from our response, and the protections we offer to security researchers acting in good faith.

The following systems and services are in scope for vulnerability reports: • https://diezx.ai (marketing website) • https://app.diezx.ai (DiezX platform) • https://agents.diezx.ai (DiezX backend API) • Any subdomain of diezx.ai operated by diezX Out of scope: • Third-party services we use (Google Cloud, MongoDB, Anthropic, Resend, Twilio, Mixpanel, PostHog, Cloudinary, GitHub) — report directly to the vendor • Social engineering attacks against diezX employees or customers • Physical attacks against diezX or any third-party facility • Denial-of-service (DoS / DDoS) attacks • Spam, brute-force attempts at scale, or testing that materially affects service availability • Findings derived from already-public information (e.g., subdomain enumeration without an actual vulnerability)

Email security@diezx.ai with: • A clear description of the vulnerability and its potential impact • Steps to reproduce, including any proof-of-concept code, screenshots, or HTTP request/response captures • Your name or handle (for credit, if desired) and a contact channel • Optional: your PGP public key for encrypted follow-up We acknowledge receipt of every good-faith report within 2 business days.

We commit to the following response targets, measured from the time a report passes initial triage: • Critical-severity issues (e.g., remote code execution, unauthenticated access to customer data, secret exposure): acknowledge ≤ 24 hours, fix or mitigate ≤ 7 days • High-severity issues (e.g., authenticated horizontal privilege escalation, sensitive data exposure with specific preconditions): acknowledge ≤ 2 business days, fix ≤ 30 days • Medium-severity issues: acknowledge ≤ 5 business days, fix ≤ 90 days • Low-severity issues: acknowledge ≤ 10 business days, fix scheduled in the next reasonable release We will keep you informed of progress at meaningful milestones (triaged, fix in progress, fix deployed) and notify you when the issue is resolved.

diezX will not pursue legal action, file a complaint with law enforcement, or take other adverse action against security researchers who: • Make a good-faith effort to follow this policy • Only access data and systems to the extent necessary to demonstrate the vulnerability • Do not modify, retain, exfiltrate, or destroy customer data • Do not impact other users' ability to use the service • Give us a reasonable time to remediate before public disclosure If a third party initiates legal action against you in connection with research conducted under this policy, diezX will make it known to that party that your research was authorized.

We follow coordinated disclosure principles. After a vulnerability is reported: • We will work with you to understand and validate the issue • We commit to remediating confirmed vulnerabilities within the timelines above • Public disclosure should be coordinated with us. We ask researchers to wait until the issue is resolved (or, at minimum, 90 days from triage) before disclosing publicly • We will credit reporters who wish to be credited in our security acknowledgments, unless they request anonymity

diezX does not currently operate a paid bug bounty program. We acknowledge that the reporter's time has value and aim to credit and thank everyone who helps us improve security through responsible disclosure. We hope to launch a formal bounty program in the future; until then, our commitment is to fast, transparent, and respectful collaboration.

Security reports: security@diezx.ai PGP key fingerprint for encrypted communication: published at https://diezx.ai/.well-known/security.txt (key available on request). For non-security matters, please use hello@diezx.ai (general) or privacy@diezx.ai (data privacy / OAuth concerns).