Security & Vulnerability Disclosure

Built for resilience. Open to scrutiny.

At Resilera, we build systems designed to withstand failure — including security failure. We welcome reports from independent researchers, customers and partners. If you identify a vulnerability, we want to know — and we will act.

Report a Vulnerability

Email: security@resilera.com

Encrypted submissions via PGP (see below).

Please include:

  • Description of the issue
  • Steps to reproduce
  • Affected systems / URLs
  • Proof-of-concept where possible
  • Your contact details

Encryption (PGP)

For sensitive reports, encrypt your submission using our PGP public key.

Public key: https://www.resilera.com/.well-known/pgp-key.txt
Fingerprint: 25A3 7CBD 5E0C A4FF 9D79 4A6D C55F D5F2 2E7D BCC5
User ID: Resilera Security <security@resilera.com>
Expires: 2028-04-10

Verify the fingerprint above against an independent channel before encrypting a sensitive report.

Scope

This policy covers vulnerabilities affecting any of the following:

  • *.resilera.com
  • resilera.com.au
  • resilera.ai
  • app.resilera.ai

Response & Severity Targets

We acknowledge all reports within 24 hours and provide an initial assessment within 1–3 business days. Our triage and response targets by severity:

SeverityExample ImpactTarget Response
CriticalData exposure, auth bypass, RCE< 24 hours
HighPrivilege escalation, significant abuse< 48 hours
MediumLimited impact, constrained exploitation< 3–5 days
LowMinor misconfigurationsBest effort

Safe Harbour

We will not pursue legal action against researchers who act in good faith and abide by the principles below. If you follow this policy, we consider your research authorised and will work with you to understand and resolve the issue.

We ask that you:

  • Act in good faith and follow this policy
  • Avoid privacy violations and do not exfiltrate or modify data
  • Do not degrade or disrupt our services
  • Limit testing to proof of concept only
  • Allow us reasonable time to remediate before public disclosure

Out of Scope

The following are generally not considered reportable vulnerabilities under this policy:

  • Missing security headers without demonstrated impact
  • Clickjacking on non-sensitive pages
  • Brute-force attacks without proof of exploitation
  • Self-XSS and other self-inflicted issues
  • Vulnerabilities in third-party platforms outside our direct control

Bug Bounty

Resilera does not currently operate a bug bounty program. Recognition for valid reports may be offered at our discretion.

Disclosure Approach

We practise coordinated disclosure. Public disclosure happens after the issue is resolved, or by agreement with the reporter.

Why this matters

“Security is not a checklist — it’s a system property. If you’ve found a weakness, you’ve identified a failure mode. That’s exactly what we exist to surface and fix.”

Report a Security Issue

For security matters only:

security@resilera.com

For general enquiries, email info@resilera.com.