Coordinated Vulnerability Disclosure Policy

Atlas Labs welcomes good-faith security research on every property under hq-fs.com. This policy describes what is in scope, what is out of scope, how to report a vulnerability, and what to expect from us in return.

It is the canonical source referenced from the Policy: field of every /.well-known/security.txt file we publish.

Scope

In scope (any subdomain of hq-fs.com and the production domains for each Atlas Labs application):

Authentication and session management on the auth server.
Portfolio data access, transaction integrity, and privilege boundaries

on the Ledger application.

Agent API surface and workspace isolation on the Docs application.
Public marketing surface on Home.
Administration and tenant-management surface on Admin (note: Admin is

staff-only; report exposure of authenticated views, not the views themselves).

Out of scope:

Denial-of-service, volumetric, or rate-exhaustion testing.
Social engineering of Atlas Labs staff or contractors.
Physical attacks against any office or data centre.
Vulnerabilities in third-party services we depend on (Stripe, Resend,

Cloudflare, etc.) — please report those to the upstream vendor.

Findings that require already-compromised end-user devices, browser

extensions, or browser zero-days.

Reports generated solely from automated scanners with no demonstrated

impact.

Safe harbour

We will not pursue civil, administrative, or law-enforcement action against researchers who:

act in good faith,
avoid privacy violations, data destruction, and service disruption,
provide us a reasonable opportunity to remediate before disclosure,
and stay within the scope above.

If you are uncertain whether a particular activity is permitted, ask first at security@hq-fs.com.

How to report

Email security@hq-fs.com. Encrypt sensitive proof-of-concept payloads with the PGP key published at /.well-known/atlas-labs-pgp.asc.

A useful report includes:

A clear description of the vulnerability and its impact.
Reproduction steps (URLs, parameters, sample requests).
Any proof-of-concept code or screenshots.
Your preferred attribution name (or anonymous, if you prefer).

We will acknowledge receipt within 3 business days, provide a preliminary triage assessment within 10 business days, and aim to remediate Critical or High issues within 30 days. Medium and Low issues are scheduled into the regular release cadence.

Coordinated disclosure

We follow a 90-day coordinated disclosure window starting from the date of acknowledgement. Public disclosure before the window expires is permitted only if Atlas Labs has confirmed the issue is fixed in production.

If a fix is not feasible within 90 days, we will agree an extension with the reporter in writing. We do not invoke extensions to avoid disclosure.

Recognition

Researchers who report valid issues are credited (with their consent) in our public Hall of Fame at /security/hall-of-fame and earn the security_researcher Legendary achievement on their Atlas account.

A formal monetary bounty programme is on the UA Audit's medium-term roadmap (Section 9.2 — Phase 2 private programme). Until that programme is funded, recognition is non-cash; this policy is not a contract for payment.

Contact

security@hq-fs.com · PGP fingerprint published at /.well-known/atlas-labs-pgp.asc.

Last reviewed: 2026-05-07.

Source: public/security-policy.md· canonical for every Atlas Labs domain's /.well-known/security.txt.