Responsible Disclosure Policy

Tensflare Ltd. ("Tensflare," "we," "our," or "us") takes the security of our systems and user data seriously. We welcome feedback from security researchers acting in good faith who help us identify and report potential vulnerabilities.

Purpose

Tensflare builds trust infrastructure for consequential AI. Central to our mission is the security and integrity of our systems, services, and the data our users and partners entrust to us. This Responsible Disclosure Policy outlines how we collaborate with the security researcher community to identify and address potential vulnerabilities in our systems.

If you discover a vulnerability affecting multiple services, we encourage you to submit separate reports to each affected organisation so all impacted services can properly assess and address the vulnerability.

Scope of Systems

This Policy covers all internet-facing information systems, applications, and websites owned, operated, or controlled by Tensflare, including the tensflare.com domain and related subdomains (collectively, "Information Systems").

This Policy does not cover information systems, websites, or applications owned, operated, or controlled by third parties, including service providers or contractors, even if hosted under a Tensflare domain. You should follow the responsible disclosure processes for those systems separately.

Scope of Vulnerabilities

This Policy covers technical vulnerabilities that may exist on our Information Systems, including but not limited to misconfigurations, cross-site request forgeries (CSRF), privilege escalation, SQL injection, cross-site scripting (XSS), and directory traversal.

This Policy excludes the following vulnerabilities, subject to Tensflare's discretion:

• General security or email best-practice recommendations without a working proof of concept
• Missing best practices in SSL/TLS configurations without a working proof of concept
• Physical compromise or intrusions
• Rate limiting or brute-force issues on non-authenticated endpoints
• Compromises involving an insider
• Social engineering attacks (including phishing)
• Reflected file downloads
• Account takeovers involving brute force on accounts you do not own
• Red-teaming or adversarial testing of our models
• Content issues with model prompts and responses
• Denial of service attacks
• Clickjacking on pages with no sensitive actions
• Missing HttpOnly or Secure flags on cookies
• Dependency hijacking
• Any widely publicised zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days

We welcome reports concerning safety issues, "jailbreaks," and similar concerns so that we can improve the safety and harmlessness of our models. Please report such issues to safety@tensflare.com with sufficient detail for us to replicate the issue.

How to Submit a Report

If you discover a security vulnerability in a Tensflare system, please report it to us at security@tensflare.com with the subject line "Security Vulnerability Report." Include a detailed summary and supporting evidence (logs, code, proofs of concept) to help us understand, validate, reproduce, and respond to the issue.

At a minimum, please provide:

• The type and severity of the vulnerability
• Technical details associated with the vulnerability
• A summary of the vulnerability
• Steps to reproduce the vulnerability
• URL or location of the vulnerability
• Proof-of-concept scripts, screenshots, or screen recordings
• Potential impact to the Information System
• Any recommended remediation actions

Please submit one vulnerability per report and include any plans or intentions for public disclosure. The more detailed and clear the report, the more effectively we can investigate and respond.

We will generally presume you are acting in good faith if you abide by the following:

• You test Information Systems solely to identify or discover a potential vulnerability and report it to us
• You avoid causing harm to the Information Systems, including data destruction, disruption of services, denial of service attacks, or use of tools that generate substantial traffic
• You avoid exploiting any vulnerability beyond what is minimally required to reasonably prove its existence
• You avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems unless such access is inadvertent
• You do not exfiltrate, download, or otherwise retain any data you collect; if you inadvertently access data, you report it as part of your submission
• You avoid disclosing the existence of or details about the discovered vulnerability to third parties or the public until you have received prior written notice from us
• You do not perform attacks that compromise the security or confidentiality of any account that is not your own
• You do not perform social engineering attacks on any Tensflare employee, contractor, or representative
• You do not, as a condition of disclosure, require payment or compensation or threaten to disclose the vulnerability irresponsibly
• You comply with all applicable laws in connection with your research activities

If you have questions about this Policy or whether your research is consistent with these guidelines, please contact security@tensflare.com before proceeding.

Our Commitment to You

When you promptly and responsibly report a potential vulnerability, you can expect us to:

• Acknowledge your submission within three (3) business days
• Evaluate your findings promptly and in good faith
• If we confirm a vulnerability, validate its existence, confirm it with you, and take appropriate steps to address, mitigate, or remediate it
• Collaborate with you on timely and safe disclosure of your findings
• Protect your name and contact information, disclosing it only with your consent or as required by law
• Refrain from taking legal action as described in the Safe Harbor section below
• Attribute your name and contribution on any public disclosure we make (with your permission)

Safe Harbor

If you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy, we will not pursue legal action arising from your research or responsible disclosure, subject to Tensflare's compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.

Changes to This Policy

We may update this Policy at any time by publishing a new version and updating the date of last update. Vulnerabilities disclosed before any update will remain subject to the policy in effect at the time of disclosure.

Contact

• Report a vulnerability: security@tensflare.com
• Safety and model concerns: safety@tensflare.com
• Policy questions: security@tensflare.com
• Tensflare Ltd., Abuja FCT, Nigeria