Security

How to report.
How we respond.

QuKaiZen's public security baseline. Contact, scope, severity SLAs, coordinated disclosure, safe harbor, and who owns vulnerability management end-to-end. Short, specific, and signed by a real person.

Reporting a vulnerability

The single most important section on this page

If you've found a security issue in anything QuKaiZen ships, email us. We read every report. We do not run a public bug bounty — we run a private one, person to person.

How to report

Email security@qukaizen.com with enough detail that we can reproduce and triage without a follow-up. Use the public PGP key linked in /.well-known/security.txt if you'd like the report encrypted; if you don't, that's fine too — the inbox is for security issues only.

  • ·Product and version (qukaizen.com web, AeroLLM <commit>, ARAIL <commit>, Nucleus, AeroLLM-Distill).
  • ·Component / endpoint / file affected.
  • ·A minimal reproducer or proof-of-concept. Logs, requests, screenshots are welcome.
  • ·Your assessment of impact (what an attacker gets, who's affected, what's the blast radius).
  • ·Whether you want public credit and under what name when we disclose.

What happens next

The SRE agent (see Ownership) receives the report and acknowledges within the SLA below. A human (Charles Darnell) is in the loop for any binding decision: confirming severity, scheduling the fix window, drafting the public advisory, requesting a CVE. We will keep you updated and tell you when we've shipped a fix.

Scope

Where this policy applies

QuKaiZen ships four products plus this marketing site. Anything below is in scope. If you're not sure, ask — we'd rather you ask than skip the report.

In scope

These are the systems this policy covers.

  • ·qukaizen.com — this marketing site (Next.js, server-rendered, no third-party telemetry).
  • ·AeroLLM — the open-source inference engine for running LLMs without full GPU residency.
  • ·ARAIL — the shareable Auto Research AI Lab. Runs on the researcher's own hardware, offline by default.
  • ·Nucleus — the internal Super Skill Distillation Pipeline (SSDP) and company hub.
  • ·AeroLLM-Distill — sibling project that produces smaller domain-targeted models.

Out of scope

Things we won't action through this channel

We want real reports, not scanner noise. The following are out of scope; reporting them as a 'finding' delays the queue for everyone else.

Excluded categories

These do not count as vulnerabilities under this policy.

  • ·Denial-of-service or load testing of any QuKaiZen-owned system. Don't do this. Report theoretical DoS conditions as design issues instead.
  • ·Social engineering of QuKaiZen people, contractors, or users.
  • ·Physical attacks against QuKaiZen property or personnel.
  • ·Issues in third-party dependencies — report those upstream. We'll triage downstream impact when an upstream advisory lands.
  • ·Automated scanner output without a working reproducer or demonstrated impact.
  • ·Missing 'best-practice' headers that don't enable a concrete attack (we already publish a real headers baseline; see Baseline controls).
  • ·Findings that require an already-compromised local machine or already-stolen credentials.

Severity & SLAs

Honest small-team numbers

We use CVSS v3.1 as a sanity check but the real call is made by the SRE agent at triage and confirmed by a human. These targets are what we hold ourselves to — fixes ship faster when they're easy, slower when they require coordinated upgrades across products.

Acknowledgement and fix-target windows

Acknowledgement = a human-reviewed reply that confirms we got the report and have a severity assessment. Fix target = the patch lands in the affected product's release stream. Disclosure follows fix per the coordinated-disclosure window below.

Targets

Critical

24 h ack · 7 d fix target

RCE on a QuKaiZen-operated system; pre-auth account takeover; signing-key compromise; supply-chain insertion.

High

48 h ack · 30 d fix target

Authenticated RCE; significant data exposure; auth bypass; cryptographic break in a shipped product.

Medium

7 d ack · 90 d fix target

Stored XSS, CSRF on a sensitive action, IDOR with bounded impact, sandbox weakening in ARAIL.

Low

Best-effort

Informational, defense-in-depth, hardening that's worth doing but doesn't unlock an attack today.

Clock starts when the report lands in the inbox, not when we read it. Weekends and holidays count.

Coordinated disclosure

How findings become public

We disclose after a fix is shipped, or after the disclosure window closes — whichever comes first. We will not sit on a report indefinitely.

Default 90-day window

Disclosure window starts on first acknowledgement. The default is 90 days. We may request an extension for exploit-chain complexity, cross-product coordination, or upstream dependency that needs to ship first; extensions require researcher agreement and are documented in the advisory. If we miss the window without an agreed extension, you are free to disclose.

Credit

We credit reporters by name in the advisory unless they request anonymity. We will not deny credit, redact your role, or describe a fix as 'an internal improvement' when it was your finding.

Safe harbor

Good-faith research is welcome

We will not pursue legal action against researchers acting in good faith under this policy. Acting in good faith means staying within the scope and out-of-scope rules above, not destroying or exfiltrating data beyond the minimum needed to demonstrate the issue, and giving us the disclosure window agreed for the report.

Our commitment

Research conducted consistent with this policy is authorized. We consider it a violation only of this policy — not of any computer-misuse statute — to the extent we have the authority to grant that. We will say so in writing if you ask before testing.

Ownership — the SRE agent

Who actually runs vulnerability management here

QuKaiZen runs on agents. Vulnerability management is owned by the SRE agent — Buddy's peer in the ARAIL command-tier loop. The agent runs the pipeline; a human supervises every binding action.

What the SRE agent does end-to-end

The SRE agent is not a mailbox autoresponder. It is the operational owner of the intake-to-disclosure pipeline, with retrieval over the Nucleus knowledge base and write access to the ticket queue. A human gate sits in front of every action that changes user-visible state.

  • ·Intake — receives the inbound report from the security@ alias, parses it, and creates a tracked ticket in Nucleus with the original artifact attached.
  • ·Triage — assigns a candidate severity from the rubric above using retrieval over prior advisories, the affected product's threat model, and the in-product surface area. The human confirms or overrides.
  • ·Coordination — opens cross-product issues if the fix touches more than one repo (AeroLLM + ARAIL is the common case for inference-path findings).
  • ·Patch — drives the fix through SSDP: branch, change, review, regression-gate, signed release. The human approves the release.
  • ·Disclosure — drafts the advisory with the reporter's preferred credit, files the CVE if applicable, and publishes once the patched version is generally available. The human signs the publish.

Where the human sits

Charles Darnell is the human-in-the-loop today. Every binding action — confirming severity, scheduling a release window, requesting a CVE, publishing an advisory, signing a release artifact — is taken by the human after the agent presents a recommendation. The agent does not publish, sign, or disclose on its own. This is the same posture QuKaiZen takes everywhere: agents do operations, humans supervise.

Baseline controls in place today

What's already shipping, not what we plan to do

If you're trying to assess our posture before reporting (or before deploying ARAIL on your hardware), here is what is currently true in the repo and in production. Each item is verifiable.

Current controls

Linked items point at the exact lines in this repository.

  • ·HTTPS-only with HSTS preload (max-age=63072000; includeSubDomains; preload) — set at the app layer so it stays correct even if the Traefik edge is bypassed. Source: next.config.ts:9-19.
  • ·X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy that denies camera/mic/geolocation/FLoC — all set globally for every route. Source: next.config.ts:9-19.
  • ·No third-party analytics, no marketing pixels, no behavioral telemetry on qukaizen.com. Verifiable by inspecting the rendered HTML and the network panel.
  • ·Release artifacts are signed with Cosign. The verification public key is published with the release.
  • ·Service tokens are scoped and least-privilege (NUCLEUS_API_KEY for the build pipeline, SITE_API_TOKEN for the dashboard surface — separate by design so a leak of one does not grant the other).
  • ·Standalone Next.js output for the marketing site so the deployed container only has what it needs — no source maps, no dev tools, no .env at runtime.
A real Content-Security-Policy is intentionally not set yet — Next hydration uses inline scripts and a correct CSP needs a per-request nonce strategy. We treat this as a known hardening item, not as 'CSP is enabled'.

Compliance posture

Plainly stated

We hold no formal certifications today. Saying we do, when we don't, would be the first place we lost your trust.

What's true today

QuKaiZen is pre-SOC 2. There is no ISO 27001, no HIPAA program, no FedRAMP authorization. Security here is a posture and a process, not a certificate. We ship the controls listed above because they're correct, not because an auditor required them.

What's on the roadmap

An SBOM produced as a release artifact, dependency-review automation that blocks PRs on advisories above a severity threshold, and a documented incident-response runbook with table-top exercises. We will say so on this page when these are real, not before.

Product-specific notes

What the threat model looks like in each surface

The four products have different blast radii. The same finding can be a Low on one and a Critical on another. These notes orient your report.

ARAIL — runs on the researcher's own hardware

ARAIL is offline-by-default and ships to other people's machines. That makes the blast radius of any single instance small, but it also means we can't push a silent fix — every user has to pull. Findings that compromise the local supply path (model artifacts, the Buddy agent, the SRE agent in CTL, the on-box ticket store) are weighted higher because the update channel is the mitigation.

AeroLLM — open source inference engine

Public source means anyone can read for vulnerabilities. We treat the runtime layer-streaming path, the model loader, and the quantization decoders as the highest-stakes surfaces. License and attribution gating is enforced before any contribution lands. Bugs in the inference path that produce silently wrong outputs are in scope — correctness is a security property here.

Nucleus — internal build pipeline

Internal, not user-facing. Threat model is supply-chain: anything that lets an unauthorized commit enter the SSDP and end up in a signed release artifact. Sealed-bridge and regression-gate controls live here.

qukaizen.com — this site

Server-rendered marketing surface with a small admin sub-tree behind auth. The high-value findings here are auth bypass, content injection that survives sanitization, and any path that turns a public route into a write surface.

Disclosure history

Public advisories

No public advisories have been issued yet. When they are, each one will land here with a stable anchor (id, date, affected product, CVE if applicable).

Nothing to report — yet

This is the section that should make you the most curious. An empty disclosure history can mean we're new (true), it can mean nobody has looked (also somewhat true), or it can mean we've been hiding things (not true; see Coordinated disclosure). When entries appear here, they will be specific, dated, and credited.

Dictionary →