Skip to main content
Elnora Logo

Vulnerability Disclosure Policy

Effective June 16, 2026

Previous Versions

1. Purpose and Commitment

1.1 Purpose Statement

Elnora AI, Inc. and its affiliate Elnora AI OÜ (together, "Elnora AI") are committed to maintaining the security and integrity of our AI-powered platform for the pharmaceutical and life sciences industry. This Vulnerability Disclosure Policy ("Policy") establishes a framework for security researchers, customers, and the public to report potential security vulnerabilities in our systems responsibly.

We believe that coordinated vulnerability disclosure is essential to maintaining the trust of our pharmaceutical and life sciences customers who rely on our platform for sensitive research data.

1.2 Scope of Systems

In-Scope Systems:

This Policy covers the following internet-facing systems, applications, and services operated by Elnora AI:

CategorySystems
Web Applications*.elnora.ai domains and subdomains
API EndpointsREST and GraphQL API endpoints
AuthenticationAuthentication and authorization flows
Customer PortalCustomer-facing dashboards and interfaces
Public InfrastructureElnora-operated, internet-facing AWS service configurations and API gateway configurations (not AWS's own managed infrastructure)

Out-of-Scope Systems:

The following are explicitly excluded from this Policy:

CategorySystemsReport To
AI Model BehaviorAI model safety issues (see Section 6)security@elnora.ai (will be triaged separately)
Third-Party InfrastructureAWS, Azure, GCP physical/hypervisor vulnerabilitiesRespective cloud providers
AI Provider SystemsOpenAI, Anthropic, or other AI provider vulnerabilitiesRespective providers
Customer SystemsCustomer-owned networks, systems, or dataNot our systems
Physical SecurityPhysical premises, facilities, or devicesNot covered by this Policy

1.3 Scope of Vulnerabilities

In-Scope Vulnerabilities:

We accept reports for the following categories of security vulnerabilities:

Tier 1 - Critical (Immediate Priority):

  • Authentication and authorization bypasses
  • Multi-tenant data isolation failures
  • Remote code execution (RCE)
  • SQL injection with data exfiltration potential
  • Customer data cross-contamination
  • Unencrypted sensitive data transmission
  • Cryptographic key exposure or misconfiguration

Tier 2 - Standard Web Application Security:

  • Injection vulnerabilities (SQL, NoSQL, command, LDAP, XML/XXE)
  • Cross-site scripting (XSS) - stored, reflected, DOM-based
  • Cross-site request forgery (CSRF/XSRF)
  • Server-side request forgery (SSRF)
  • Privilege escalation
  • Insecure direct object references (IDOR)
  • Broken object level authorization (BOLA)
  • Security misconfigurations (exposed debug endpoints, default credentials)

Tier 3 - Infrastructure:

  • Local file inclusion (LFI) / Path traversal
  • Session fixation or hijacking
  • Known vulnerable dependencies (exploitable in our context)
  • API rate limit bypasses with security implications

Out-of-Scope Vulnerabilities:

The following are not covered by this Policy:

  • AI model safety issues (see Section 6)
  • General security best practice gaps without proof-of-concept exploit
  • Physical security compromises or intrusions
  • Social engineering, phishing, or vishing attacks
  • Denial of service (DoS/DDoS) attacks
  • Rate limiting on unauthenticated endpoints
  • Self-XSS requiring victim interaction beyond clicking a link
  • Clickjacking without demonstrated sensitive action impact
  • Missing security headers without exploitable vulnerability
  • Software version disclosure
  • SSL/TLS best practice recommendations without exploitable weakness
  • Email enumeration (acceptable for B2B SaaS)
  • Dependency vulnerabilities without demonstrated exploitability in our context
  • Zero-day vulnerabilities in third-party software that have been patched within 30 days

2. How to Report Vulnerabilities

2.1 Contact Information

Primary Contact:

2.2 Required Information

When submitting a vulnerability report, please include the following information:

FieldDescriptionRequired
Vulnerability TypeCategory of vulnerability (e.g., XSS, SQL injection)Yes
Severity AssessmentYour assessment of impact (Critical/High/Medium/Low)Yes
Affected SystemSpecific URL, endpoint, or system affectedYes
Summary DescriptionBrief description of the vulnerabilityYes
Technical DetailsDetailed technical explanationYes
Reproduction StepsStep-by-step instructions to reproduceYes
Proof-of-ConceptScreenshots, videos, logs, or code demonstrating the issueYes
Potential ImpactDescription of potential business or security impactRecommended
Remediation SuggestionsYour recommendations for fixing the issueRecommended
Your Contact InformationEmail address for follow-up communicationsYes

Submission Guidelines:

  • Submit one vulnerability per report
  • Use clear, concise language
  • Include all relevant technical details
  • Redact any sensitive data in screenshots or logs
  • Do not include actual customer data in reports

Elnora processes the personal data you provide in a vulnerability report (such as your name and contact details) as a controller, for the purpose of triaging and responding to your report and, where you consent, crediting you. This processing is described in our Privacy Policy

3. Safe Harbor Statement

3.1 Legal Protections

Elnora AI will not initiate legal action against security researchers who:

  1. Act in Good Faith: Conduct research consistent with this Policy
  2. Avoid Harm: Do not intentionally, recklessly, or through avoidable negligence cause damage to systems, data, or operations; inadvertent impact that the researcher promptly reports and ceases does not by itself forfeit safe harbor
  3. Respect Privacy: Do not access, download, or retain user data, Protected Health Information (PHI), or customer research data
  4. Report Responsibly: Submit findings through designated channels and allow reasonable time for remediation before any public disclosure
  5. Minimize Impact: Use the minimum access necessary to demonstrate a vulnerability

3.2 Conditions for Safe Harbor

Safe harbor protection applies provided the researcher:

  • Does not exploit vulnerabilities beyond proof-of-concept demonstration
  • Does not engage in extortion, threats, or conditional disclosure
  • Is not on any applicable sanctions or restricted-party list (including those administered by the US Office of Foreign Assets Control, the UK Office of Financial Sanctions Implementation, and the European Union) or subject to other legal restrictions
  • Complies with all applicable laws during research
  • Does not access, modify, or exfiltrate production customer data
  • Follows the testing guidelines outlined in Section 5

3.3 CFAA Authorization Statement

We consider activities conducted consistent with this Policy to be "authorized" conduct under the Computer Fraud and Abuse Act (18 U.S.C. § 1030). To the extent within Elnora's control, we will not pursue civil or criminal action, and will not support any third-party action, against researchers who comply with this Policy. This authorization does not bind third parties, including government authorities, and does not extend to conduct that violates applicable law outside the CFAA. This Section 3.3 addresses United States law specifically; the authorisation in Section 3.3a addresses unauthorized-access laws generally.

3.3a General Authorization Statement

For researchers acting consistently with this Policy, Elnora's permission to access and test its in-scope systems constitutes authorisation by the system owner for the purposes of unauthorized-access laws, including the United States Computer Fraud and Abuse Act (18 U.S.C. § 1030), the United Kingdom Computer Misuse Act 1990, and the national laws of EU/EEA Member States transposing Directive 2013/40/EU. This authorisation is limited to Elnora's own systems, is given only to the extent within Elnora's control, and does not bind any government authority or third party.

To the extent your good-faith security research conducted within the scope of this Policy would otherwise breach contractual restrictions you owe to Elnora AI (including the Terms of Service or Acceptable Use Policy), Elnora AI waives enforcement of those restrictions solely against you and solely to the extent necessary to permit that research. This waiver is limited to security-research conduct within scope; it does not relax any restriction as applied to your use of the Platform as a customer or Authorized User, and it does not amend any Order Form, MSA, or DPA.

3.4 DMCA and EU Anti-Circumvention Safe Harbor

We do not assert claims under Section 1201 of the Digital Millennium Copyright Act (DMCA) against researchers conducting good-faith security research on Elnora's systems consistent with this Policy. This waiver applies solely to circumvention of technological protection measures necessary to carry out security research within the scope of this Policy, and only to the extent that such research complies with all other conditions herein.

For researchers located in the European Union and EEA, this Policy constitutes Elnora AI's authorisation to carry out the technical measures (including any circumvention of technological protection measures) strictly necessary for good-faith security research within the scope of this Policy. To the extent any such measure is protected under Article 6 of Directive 2001/29/EC, or under Directive 2009/24/EC for computer programs, as transposed into applicable national law, Elnora consents to its circumvention solely for in-scope research and only where the research complies with all other conditions of this Policy.

3.5 Exclusions from Safe Harbor

Safe harbor protection does not extend to:

  • Testing conducted outside the scope defined in this Policy
  • Activities that violate applicable laws
  • Actions that intentionally or recklessly harm Elnora AI customers, users, or third parties
  • Disclosure to third parties before coordinated public disclosure
  • Attempts to extort payment or other benefits

4. What to Expect from Elnora AI

4.1 Response Timeline

StageTimelineDescription
Initial Acknowledgment3 business daysConfirmation of receipt and tracking ID assignment
Triage Completion5 business daysValidation and initial severity assessment
Status UpdatesEvery 14 daysProgress updates until resolution

4.2 Remediation Timeline

Elnora AI commits to the following remediation timelines based on validated severity. The severity-based remediation targets correspond to the vulnerability-remediation service levels in Schedule 1 §6 of the Data Processing Addendum; the disclosure timeline below is specific to this Policy:

SeverityCVSS ScoreRemediation TargetDisclosure Timeline
Critical9.0 - 10.015 days30 days post-fix
High7.0 - 8.930 days45 days post-fix
Medium4.0 - 6.960 days90 days post-fix
Low0.1 - 3.990 days120 days post-fix

4.3 Communication Commitments

Elnora AI will:

  • Take all good-faith reports seriously
  • Evaluate findings promptly and thoroughly
  • Validate vulnerabilities with researchers when needed
  • Take appropriate remediation steps
  • Protect researcher identity unless the researcher consents to disclosure or disclosure is required by law, legal process, or a binding governmental or regulatory request
  • Acknowledge submissions within the stated timeline
  • Maintain regular communication throughout investigation
  • Notify researchers when vulnerabilities are remediated

4.4 Exception Handling

If a vulnerability cannot be remediated within the standard timeline, Elnora AI will:

  • Document a risk treatment plan
  • Communicate the extended timeline to the researcher
  • Provide regular status updates
  • Consider compensating controls

5. Rules of Engagement

5.1 Permitted Testing Activities

Researchers are permitted to:

  • Test using their own accounts or designated test accounts
  • Perform reconnaissance using public DNS enumeration, security header analysis, and SSL/TLS configuration review
  • Submit non-destructive proof-of-concept demonstrations
  • Create reasonable test data in their own or designated test accounts. Elnora will remove researcher-created test data during normal remediation and account cleanup; researchers should not rely on this for any data they would not want retained
  • Attempt authorization bypasses against their own resources
  • Conduct API fuzzing within documented rate limits

5.2 Prohibited Activities

The following activities are strictly prohibited:

Data Integrity:

  • Modifying or deleting customer data
  • Accessing other customers' research data
  • Corrupting, poisoning, or altering AI models or training data (a non-destructive proof-of-concept demonstrating an integrity weakness, reached via an in-scope vulnerability, is permitted; actual corruption is not)
  • Tampering with scientific results or outputs

Service Disruption:

  • Denial of service attacks
  • Resource exhaustion
  • Flooding or spam attacks
  • Intentional service degradation

Unauthorized Access:

  • Accessing customer accounts without explicit permission
  • Exfiltrating real pharmaceutical or research data
  • Pivoting to internal AWS resources
  • Social engineering employees, contractors, or customers

Destructive Testing:

  • Running automated scanners without prior approval
  • Exploiting vulnerabilities beyond proof-of-concept
  • Chaining vulnerabilities beyond what is necessary to demonstrate impact, or to gain or attempt deeper unauthorized access
  • Physical security testing

5.3 Data Handling Requirements

Production Data Protection:

Given the sensitivity of pharmaceutical research data, researchers must:

  1. Stop Immediately if customer data exposure is discovered
  2. Do Not Download, Store, or View customer research data
  3. Report the Vulnerability without accessing the data
  4. Delete Immediately any accidentally cached data

Regulatory Compliance:

Pharmaceutical research data may be subject to:

  • FDA regulations (drug development data)
  • Export-control laws (including the U.S. Export Administration Regulations and analogous EU dual-use controls) that may apply to certain research data or technology
  • Customer NDAs and IP agreements
  • Other privacy or sectoral laws applicable to customer data the researcher may inadvertently encounter

Unauthorized access may have legal consequences beyond this Policy.

Any non-public technical, architectural, or business information of Elnora AI that you observe in the course of your research is confidential. You agree not to use it other than to prepare and submit your report, and not to disclose it to any third party or publish it, except as expressly permitted under the coordinated-disclosure terms of Section 8.

5.4 Third-Party Scope Exclusions

Do not test systems belonging to:

  • Our customers or their partners
  • The underlying cloud-provider infrastructure (AWS, Azure, GCP), as distinct from Elnora's own configurations of those services, which are in scope per §1.2
  • OpenAI, Anthropic, or other AI providers
  • Any third-party cloud, hosting, identity, or infrastructure providers we rely on (for example, AWS and Google Workspace)

Report vulnerabilities in these systems directly to the respective organizations.

6. AI-Specific Considerations

6.1 Security vs. Safety Distinction

Elnora AI distinguishes between infrastructure security vulnerabilities and AI model safety issues:

TypeExamplesReporting Channel
Security Vulnerabilities (In-Scope)Authentication bypass, SQL injection, XSS, SSRF, data exposuresecurity@elnora.ai
AI Safety Issues (Out-of-Scope for this Policy)Jailbreaks, prompt injections, harmful content generation, hallucinationssecurity@elnora.ai (subject: "AI Safety Issue")

Where an AI-model interaction (including prompt injection or adversarial input) results in a security impact such as unauthorized access, multi-tenant data exposure, or remote code execution, the report is treated as an in-scope security vulnerability and is covered by this Policy and its Safe Harbor. The data-protection conditions in Sections 3 and 5 continue to apply.

6.2 AI Model Out-of-Scope Items

The following AI-related issues are not covered by this Vulnerability Disclosure Policy:

  • Prompt injection or jailbreak attempts
  • Model hallucinations or factual inaccuracies
  • AI output that bypasses content policies
  • Adversarial examples affecting model behavior
  • Training data extraction (unless via infrastructure vulnerability)
  • Model bias or fairness concerns
  • AI output accuracy issues

6.3 Reporting AI Safety Issues

AI safety issues should be reported to security@elnora.ai with the subject line "AI Safety Issue" and will be triaged separately from infrastructure security vulnerabilities. AI safety reports submitted in this way are acknowledged within the same initial-acknowledgment window as security reports (Section 4.1) and are triaged under Elnora's AI risk management process. Good-faith AI safety research conducted within the Rules of Engagement (Section 5) is covered by the Safe Harbor in Section 3.

7. Regulatory Considerations

7.1 GDPR Data Breach Connection

If a reported vulnerability involves actual or potential unauthorized access to personal data subject to GDPR, UK GDPR, or the Swiss FADP, Elnora AI will:

  • Assess whether the vulnerability constitutes a personal data breach under GDPR Article 4(12)
  • Where the affected personal data is Customer Personal Data processed by Elnora as a processor, notify the affected customer (as controller) without undue delay and within 72 hours of becoming aware, in accordance with our Data Processing Addendum, and reasonably assist that customer with its own Article 33/34 obligations
  • Where Elnora acts as a controller (for example, of its own personnel or business data), notify the competent supervisory authority and, where the breach is likely to result in a high risk to individuals' rights and freedoms, the affected data subjects, within the timeframes required by applicable law (72 hours under GDPR and UK GDPR; as soon as possible under the Swiss FADP)

7.2 PHI in Reports

Elnora is not a HIPAA covered entity, has no executed Business Associate Agreement, and customers are contractually prohibited from submitting Protected Health Information (PHI) to the platform (see Acceptable Use Policy §8.3 and Data Processing Addendum §3.5). If a researcher nevertheless encounters data that appears to be PHI:

  • Researchers MUST NOT access, view, copy, or exfiltrate the data
  • Stop testing immediately and report the finding without describing or attaching the data
  • Elnora's incident response team will treat any such finding as a high-severity incident under the Incident Response Plan, will engage the affected customer through the agreed notification channel, and will determine any further regulatory or contractual notification obligations on a case-by-case basis.

7.3 Breach Notification Triggers

Security vulnerabilities reported through this program may trigger breach notification requirements under:

  • GDPR Article 33 (72-hour notification)
  • UK GDPR Article 33 (72-hour notification)
  • California breach notification law (Cal. Civ. Code § 1798.82)
  • NY SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
  • Customer contractual commitments (e.g., accelerated notification windows shorter than 72 hours where contractually required)

Elnora AI will make breach determinations in accordance with applicable law and our Incident Response Plan.

8. Disclosure and Credit

8.1 Coordinated Disclosure Process

Elnora AI practices coordinated disclosure:

  1. Researcher reports vulnerability via designated channels
  2. Elnora AI acknowledges receipt within 3 business days
  3. Elnora AI validates and classifies severity within 5 business days
  4. Elnora AI remediates according to severity timelines
  5. Researcher validates fix in production (upon request)
  6. Public disclosure coordinated between researcher and Elnora AI

8.2 Public Disclosure Conditions

Public disclosure may occur:

  • After Elnora AI has deployed a fix and customers have had reasonable time to update
  • With explicit mutual agreement between researcher and Elnora AI
  • After the standard disclosure timeline has elapsed (per Section 4.2)
  • Earlier if there is evidence of active exploitation in the wild

Exception: Disclosure may be delayed if:

  • The vulnerability affects multiple organizations requiring coordination
  • Active exploitation would cause significant harm to customers
  • Regulatory or law enforcement considerations apply

8.3 Researcher Credit and Recognition

With researcher consent, Elnora AI will:

  • Include researcher name (or alias) in security advisories
  • Provide a letter of acknowledgment upon request

Published Information (with consent):

  • Researcher name or preferred alias
  • General vulnerability category (not technical details)
  • Month and year of responsible disclosure

Prohibited from Publication:

  • Specific vulnerability details until coordinated disclosure
  • Customer impact information
  • Internal system architecture details

9. Recognition Program

9.1 Eligibility Criteria

Elnora AI does not currently operate a paid bug bounty program. However, we deeply appreciate the contributions of security researchers and offer:

  • Public acknowledgment (with consent)
  • Letters of appreciation for professional portfolios
  • First consideration for future paid program participation

10. Integration with Security Program

10.1 Incident Response Integration

Vulnerability reports received through this program are processed according to our Incident Response Plan:

VDP SeverityCVSS ScoreIRP SeverityInitial Response
Critical9.0 - 10.0P0Immediate escalation to Elnora's security and engineering leadership
High7.0 - 8.9P1Routed to the incident response team for triage
Medium4.0 - 6.9P2Assigned to the appropriate response team
Low0.1 - 3.9P3Scheduled for regular maintenance cycle

10.2 Documentation

All VDP reports are documented in our ticketing system with:

  • Unique tracking ID (VDP-YYYY-NNN format)
  • Incident collection form per our Incident Response Plan
  • Root cause analysis for verified Critical/High vulnerabilities
  • Evidence preservation per NIST SP 800-86 guidance

10.3 Vendor Security (Subservice Organizations)

Vulnerabilities discovered in our subservice organizations (AWS, Google Workspace, etc.) should be reported directly to those organizations. Elnora AI is not responsible for vulnerabilities in third-party systems beyond our control.

11. Legal Considerations

11.1 Applicable Law

This Policy, and Elnora AI's undertakings in it, are interpreted under the laws of the State of Delaware, United States, without prejudice to any mandatory provisions of the law of the jurisdiction in which a researcher conducts research. Nothing in this Policy alters a researcher's obligations under, or Elnora's authorisation in respect of, the criminal or copyright law of any jurisdiction in which the research is carried out.

11.2 Researcher Representations

By submitting a vulnerability report, you represent that:

  • You have the legal authority to disclose the vulnerability
  • You have not violated any laws in discovering the vulnerability
  • You will not disclose the vulnerability to third parties until coordinated disclosure
  • You are not subject to any restrictions that would prohibit your participation

11.3 Sanctions Compliance

Researchers must not be on any applicable sanctions or restricted-party list (including those administered by the US Office of Foreign Assets Control, the UK Office of Financial Sanctions Implementation, and the European Union) or subject to other legal restrictions that would prohibit Elnora AI from receiving reports or providing acknowledgment.

11.4 No Employment Relationship

Participation in this program does not create an employment, contractor, or agency relationship with Elnora AI.

11.5 Intellectual Property in Submissions

You retain ownership of any intellectual property in your report and proof-of-concept materials. By submitting a report, you grant Elnora AI a worldwide, royalty-free, irrevocable, non-exclusive licence to use, reproduce, store, and create derivative works of the report and any submitted materials for the purposes of evaluating, validating, remediating, and documenting the reported vulnerability and improving Elnora AI's security. You represent that your submission does not knowingly infringe the intellectual property or other rights of any third party. Submission of a report does not transfer ownership of any of your pre-existing intellectual property or research tools to Elnora AI.

11.6 No Contract; No Warranty

This Policy is provided for informational purposes and to authorise and guide good-faith security research. It does not create a contract between you and Elnora AI, confers no enforceable rights, and is not a warranty or guarantee. The response, remediation, and disclosure timelines stated in this Policy are good-faith targets, not binding commitments, and Elnora AI's failure to meet a stated target does not give rise to any claim. Customers' contractual rights and remedies (including any service level commitments) are governed solely by their agreements with Elnora AI and are unaffected by this Policy.

12. Policy Administration

12.2 Contact for Questions

For questions about this Policy before conducting research:

12.3 Policy Change Notification

Elnora AI reserves the right to modify this Policy at any time. The following protections apply to ongoing and previously submitted reports:

  • Any vulnerability report received before the effective date of a policy change is governed by the version of this Policy in effect at the time of initial submission, for the duration of the investigation and any associated disclosure process.
  • Elnora AI will not retroactively reduce safe-harbor protections or shorten disclosure timelines for in-flight reports.
  • Researchers with active, open reports will be notified of any material policy change affecting their report.

Significant changes to this Policy will be announced via:

  • Updates to this document with a revised effective date
  • Notification to active researchers (where contact information is on file)

Thank you for helping us keep Elnora AI secure.

security@elnora.ai