Security
Vulnerability Disclosure Policy
Effective: July 17, 2026
Our Commitment
Deasil Works, Inc. operates the Plexara platform and the plexara.io website. We take security reports seriously and appreciate the work of researchers who report vulnerabilities to us in good faith.
Report anything you find in Plexara directly to us. We own the commercial package our clients run, including the versions we build, test, and pin, so we are the right and only place to send a report about the product or our services.
Scope
This policy covers the plexara.io website and the services we operate for public use, including api.plexara.io, mcp-test.plexara.io, api-test.plexara.io, and our demonstration platform environments.
Client production deployments are out of scope. Each Plexara client runs a dedicated platform installation, and testing against a client deployment requires that client’s explicit authorization, not ours.
Also out of scope: denial-of-service or volumetric testing, social engineering of Deasil Works staff or clients, physical attacks against facilities, spam, and findings from automated scanners without a demonstrated vulnerability.
How to Report
Email [email protected] with the subject line "Security Vulnerability Report". Include a description of the issue, the affected URL or component, steps to reproduce, and your assessment of impact. Proof-of-concept detail helps us triage faster.
This is the right channel for anything you find in Plexara, whether in our services or in the product our clients run. We handle triage, remediation, and any coordination that a fix requires. Reports do not need to go anywhere else.
What to Expect
We will acknowledge your report within two business days and keep you informed as we validate and address the issue.
We target remediation within 90 days of a validated report, and sooner for issues with serious impact. We ask that you give us that window before public disclosure, and we will coordinate a disclosure timeline with you if remediation takes longer.
If you would like credit for a validated finding, we are glad to provide it. We do not currently operate a paid bug bounty program.
Safe Harbor
We will not pursue legal action against researchers who make a good-faith effort to follow this policy. Good faith means testing only in-scope systems, avoiding privacy violations and service degradation, and not accessing, modifying, or destroying data that does not belong to you.
If you encounter customer data or personal information during research, stop, do not save or share it, and report what happened. We treat accidental exposure honestly reported as part of good-faith research.
Machine-Readable Policy
A machine-readable version of our security contact information is published at plexara.io/.well-known/security.txt, following RFC 9116.
See also: Security and Trust Center
