AESKAR Security Disclosure Policy

Scope

This policy applies to all services operated by A5 Revolve SRL (trading as AESKAR) under the following domains: aeskar.*, a5revolve.*, witted.*, njorn.*, tethys.dev, thereef.tech, thul.tech.

How to Report

Report potential security vulnerabilities by email to security@aeskar.com.

Please include:

• Affected service / domain / URL
• Steps to reproduce (with screenshots or PoC where applicable)
• Impact assessment and your suggested severity
• Your preferred contact method for follow-up

What We Promise

• Acknowledge receipt within 5 business days.
• Provide a substantive response within 14 calendar days outlining our assessment and remediation timeline.
• Credit you publicly (if desired) once the issue is resolved.
• Refrain from legal action against good-faith researchers who follow this policy.

What We Ask of You

• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service testing or stress tests against our infrastructure.
• Do not exploit social engineering against AESKAR personnel.
• Give us reasonable time to remediate before public disclosure (industry-standard 90 days).
• Comply with applicable EU and Italian law (we are an Italian SRL based in Molfetta, BA).

Out of Scope

• Findings purely based on automated scanner output without demonstrated impact.
• Missing security headers without demonstrated exploitability.
• Self-hosted infrastructure of our customers (witted.it customers etc.) — report to the respective owner.
• Physical attacks on AESKAR premises.

Encryption

For sensitive reports, request our PGP key by sending an empty signed email to security@aeskar.com. We will respond with our current public key.

Out of Scope Languages

We accept reports in English and Italian.