Responsible Vulnerability Disclosure Policy

Effective Date: March 03, 2026

CTRL-A Technical Services (“CTS”) is committed to maintaining the security and integrity of our systems and the environments we manage. We welcome responsible security research conducted in good faith and appreciate reports that help us improve our defenses.

The information we collect is controlled by CTRL-A Technical Services, LLC, which is headquartered in the United States at 2108 N ST, Ste N Sacremento, CA 95816, USA.

Scope

This policy applies to:

  • ctrl-a.io

  • Subdomains under ctrl-a.io

  • Public-facing infrastructure owned and operated by CTRL-A Technical Services

This policy does not extend to client-managed systems unless explicitly authorized in writing.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in systems owned by CTRL-A Technical Services, please report it to: [email protected]

To help us validate and address the issue, include:

  • A detailed description of the vulnerability

  • Steps to reproduce the issue

  • Affected URL, IP, or component

  • Proof-of-concept code (if applicable)

  • Your contact information

If possible, please encrypt sensitive details using our public PGP key available at: https://ctrl-a.io/.well-known/pgp-key.asc

Our Commitment

When a report is received in good faith, we will:

  • Acknowledge receipt within a reasonable timeframe

  • Investigate and validate the issue

  • Take appropriate remediation action

  • Communicate resolution status when appropriate

Responsible Disclosure Guidelines

We ask that researchers:

  • Avoid accessing, modifying, or deleting data that does not belong to them

  • Avoid disrupting services (no denial-of-service testing)

  • Do not exploit vulnerabilities beyond what is necessary to demonstrate impact

  • Do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate

Safe Harbor

We will not pursue legal action against researchers who:

  • Act in good faith

  • Follow this policy

  • Avoid privacy violations, data destruction, and service disruption

  • Provide reasonable time for remediation before disclosure

No Compensation

CTRL-A Technical Services does not currently operate a bug bounty program and does not provide financial compensation for vulnerability disclosures.

Acknowledgment

At our discretion, we may publicly acknowledge researchers who responsibly report validated vulnerabilities.