If you find a vulnerability, we want to hear about it.
Aria CyberShield is a security product. We hold ourselves to the standard we sell. This page describes how we receive vulnerability reports, what we commit to in response, and how we run our own platform securely — including the company behind it (Anthrotech Private Limited) and the data we hold.
How to report a vulnerability
Send a single email to dayananda@anthrotech.in
with the subject prefix [Security]. Include:
- A clear description of the issue and its impact
- Steps to reproduce (URL, request, payload, etc.)
- Affected endpoint, page, or component
- Your preferred attribution (real name, handle, or "anonymous")
You may encrypt sensitive details — on request we will share an OpenPGP key for follow-up. We do not require pre-disclosure NDAs and we do not pursue legal action against good-faith security research conducted under this policy.
Our commitments to you
| Action | We commit to |
|---|---|
| Acknowledge receipt | Within 24 hours |
| Triage & initial severity | Within 72 hours |
| Status update cadence | At least weekly until resolution |
| Fix & deploy — Critical | Within 7 calendar days |
| Fix & deploy — High | Within 30 calendar days |
| Public credit (if you want it) | In our advisory and on this page |
| Coordinated public disclosure | After fix lands, with your sign-off on timing |
Scope
In scope
- All hosts under
ariacyber.inand its subdomains - The Aria platform API at
api.ariacyber.in - The published Aria EDR agents (Linux, macOS, Windows)
- Aria CLI / SDK distributions, when published
- Anthrotech Private Limited corporate infrastructure exposed publicly
Out of scope
- Findings only reproducible against very old browsers or unsupported OS versions
- Pure clickjacking on pages with no sensitive actions
- Self-XSS that requires the victim to paste code into devtools
- Rate-limit absence on non-authenticated endpoints with no business impact
- Findings against third-party SaaS used by Aria (report to that vendor)
- Social engineering of Anthrotech staff
Safe harbor
We consider security research conducted under this policy to be authorized conduct and will not initiate legal action against researchers acting in good faith. Specifically, researchers operating under this policy may:
- Access systems only to the extent necessary to demonstrate the issue
- Not access, modify, or destroy data belonging to anyone other than themselves
- Stop testing immediately upon discovery and report to us before going further
- Not publicly disclose details until we confirm a fix has been deployed (or 90 days have passed since report, whichever is sooner, unless we mutually agree otherwise)
We will work with you in good faith. If a third party brings legal action against you for research conducted under this policy, we will make every effort to publicly clarify that the research was authorized.
How we run Aria securely
Data residency
All customer data, backups, and processing live in asia-south1 (Mumbai, India).
No data leaves India. This is enforced at the Google Cloud project level.
Encryption
Data is encrypted at rest (Google-managed keys, AES-256, soon CMEK on customer request) and in transit (TLS 1.2+ with HSTS). Database backups are encrypted with separate keys.
Authentication
Magic-link / passwordless on the platform; we do not store passwords. RS256 JWT (2-hour TTL) with refresh-rotation for platform sessions. JTI revocation list. Per-tenant rate limits.
Decision Ledger
Every autonomous action taken by the Aria platform is recorded in an append-only,
hash-chained ledger (per-tenant SHA-256 chain) with database-level REVOKE UPDATE,DELETE.
This is independently verifiable via GET /api/v1/aegis/ledger/verify-chain.
Compliance posture
Aligned with India DPDP Act 2023, CERT-In Direction 20(3)/2022 (six-hour incident reporting), and ISO 27001 / SOC 2 control frameworks. See our Privacy Policy, Data Processing Addendum, and Support page.
security.txt
The machine-readable version of this policy is published per RFC 9116 at /.well-known/security.txt. Excerpt:
Acknowledgements
We credit researchers who report issues under this policy. The current list is empty because no external researcher has submitted yet — if you are the first, your name goes here (or stays anonymous, your call).