Responsible Disclosure Policy

Our Commitment to Security Research

Complexio maintains a coordinated vulnerability disclosure process to balance rapid security improvements with responsible public disclosure. We collaborate with security researchers to identify and remediate vulnerabilities before they can impact our customers' business-critical automation systems.

This policy applies to all Complexio-owned infrastructure, applications, and services. It does not extend to customer-deployed instances or third-party components outside our direct control.

Reporting Process

Submit vulnerability reports to security@complexio.com with detailed reproduction steps, affected components, and impact assessment. Critical vulnerabilities require "[CRITICAL SECURITY]" in the subject line for expedited processing.

We acknowledge all reports within 24 hours and provide investigation status updates every 5 business days. Our security team validates each report through internal testing and assigns severity ratings based on CVSS 3.1 scoring methodology.

Legal Safe Harbour

Researchers operating within these guidelines receive full legal protection from Complexio. We commit to not pursuing civil or criminal legal action against researchers who responsibly disclose vulnerabilities and avoid unauthorized data access, service disruption, or social engineering activities.

This safe harbour extends to all testing activities within our authorized scope, provided researchers coordinate disclosure timing with our security team and avoid public disclosure before remediation is complete.

Authorised Testing Scope

Security testing is permitted on Complexio-owned public-facing services, applications, and infrastructure explicitly identified as company property. Demo environments are available upon request through our security team.

Customer-deployed instances require explicit written customer permission before any security testing. Our enterprise automation platform processes sensitive business data, making unauthorised testing of customer environments a serious violation of this policy.

Disclosure Coordination

Public disclosure occurs only after vulnerability remediation is complete and deployed to all affected systems. We coordinate disclosure timing with researchers and provide advance notice of our intended publication schedule.

Researchers receive recognition on our security acknowledgments page unless they prefer anonymity. Professional references and career opportunity discussions are available for significant contributions to our security posture.

Response Timeline

Critical vulnerabilities receive immediate attention with remediation targets of 24 hours. High-severity issues are addressed within 7 days, while medium and low-severity vulnerabilities follow standard development cycle integration.

Emergency patches for customer-facing systems may require coordinated deployment schedules to minimize business disruption while maintaining security effectiveness.

Additional Resources

Complete contact information and reporting procedures are maintained in our security.txt file following RFC 9116 standards 1. Detailed reporting instructions are available on our security contact page.

Security Team Contact: security@complexio.com

Business Hours: Monday-Friday, 9:00-17:00 CET

Emergency Response: 24 hours