Responsible Disclosure Policy

Effective Date: March 18, 2026

We are a cybersecurity company. We know that no system is perfect, including ours. If you discover a security vulnerability in any CELVEX Group system, we want to hear about it and we want to make it easy and safe for you to tell us.

We also want you to know how we approach disclosure in our own work. When we discover vulnerabilities in the course of our security research and services, we practice responsible disclosure. We report issues to help organizations fix them -- never to harm, threaten, or leverage them. Our reputation depends on doing the right thing, and we take that seriously.

3.1 Our Commitment

CELVEX Group will never threaten, extort, coerce, or leverage discovered vulnerabilities against any party. When we find security issues -- whether in the course of a paid engagement, through our free scan tool, or through independent research -- we report them to the affected party through appropriate channels with the sole goal of helping them remediate the issue.

We do not publicly disclose vulnerabilities in other organizations' systems without coordination. We do not use vulnerability information as leverage in business negotiations. We do not sell vulnerability data to third parties.

This is foundational to who we are.

3.2 Scope

This policy covers:

celvexgroup.com and all subdomains (e.g., app.celvexgroup.com, api.celvexgroup.com)
Any publicly accessible CELVEX Group infrastructure

3.3 Out of Scope

The following activities and vulnerability types are out of scope and should not be attempted:

Social engineering (phishing, vishing, or pretexting against CELVEX Group employees or contractors)
Denial of service (DoS/DDoS) attacks
Physical attacks against CELVEX Group offices, data centers, or personnel
Attacks against third-party services we use (report those to the third party directly)
Spam or bulk messaging
Findings from automated scanners without manual validation (we run our own scanners -- send us validated findings)
Content injection or self-XSS that requires unlikely user interaction and has no realistic security impact

3.4 How to Report

Email: security@celvexgroup.com

Please include:

Description of the vulnerability
Steps to reproduce (the more detail, the better)
Potential impact as you understand it
Your contact information (so we can follow up; we will not share it without your consent)
Any supporting evidence (screenshots, proof-of-concept code, logs)

If you want to encrypt your report, our PGP key is available at https://celvexgroup.com/.well-known/pgp-key.txt

3.5 What to Expect

Step	Timeline
Acknowledgment	Within 48 hours of your report
Triage and initial assessment	Within 5 business days
Status update	You will receive updates at least every 10 business days until resolution
Resolution	As fast as the nature of the vulnerability allows; we will keep you informed

3.6 Safe Harbor

We will not take legal action against security researchers who:

Act in good faith and in accordance with this policy
Avoid accessing, modifying, or deleting data that does not belong to them
Do not disrupt or degrade our services
Report vulnerabilities to us before disclosing them publicly
Give us a reasonable amount of time to fix the issue before any public disclosure (minimum 90 days)

If you make a good-faith effort to follow this policy and accidentally cause disruption, we will not hold it against you. We are security professionals -- we understand that things can go sideways during research.

We will also work with you to understand the issue and will not file complaints with law enforcement against researchers acting in good faith under this policy. We believe the security research community makes the internet safer for everyone, and we want to be part of that.

3.7 What We Ask

Do not access, download, or modify data belonging to other users
Do not perform actions that could impact the availability of our services
Do stop testing and report immediately if you encounter sensitive data (PII, credentials, etc.)
Do use test accounts you create yourself rather than attempting to access real user accounts
Do act in good faith at all times

3.8 Recognition

We maintain a Hall of Fame on our website to recognize researchers who help us improve our security. If you report a valid vulnerability:

You will be credited by name (or alias) on our Hall of Fame -- only if you consent
We will not publicly disclose your identity without your explicit permission
We may also express our gratitude in other ways, at our discretion

3.9 Legal

This policy is meant to describe our commitment to working with the security research community. It is not a legal contract and does not override applicable law. However, it reflects our genuine intent: if you act in good faith, we will act in good faith. That is who we are.

Cookie Policy

Effective Date: March 18, 2026

This is a short cookie policy because we have very little to say. That is by design.

4.1 We Do Not Use Tracking Cookies

CELVEX Group does not use tracking cookies. We do not use:

Google Analytics cookies
Facebook or Meta tracking pixels
Advertising cookies
Retargeting cookies
Any third-party tracking cookies

4.2 Analytics Without Cookies

We use Plausible Analytics for website analytics. Plausible is a privacy-focused analytics tool that:

Does not use cookies
Does not collect personal data
Does not track individuals across websites
Does not create visitor profiles
Is fully compliant with GDPR, CCPA, and PECR without requiring cookie consent

All analytics data is aggregate and anonymous. We can see that "47 people visited our pricing page today." We cannot see that "John Smith from Acme Corp visited our pricing page at 2:14 PM."

4.3 Essential Cookies Only

We may set a small number of essential cookies that are strictly necessary for the website to function:

Cookie	Purpose	Duration
Session cookie	Maintains your session if you log in to our platform	Expires when you close your browser, or after 24 hours
CSRF token	Prevents cross-site request forgery attacks on forms	Expires when you close your browser

These cookies do not track you. They do not contain personal information. They exist because the website cannot function securely without them.

4.4 Free Scan Tool

The free scan tool may set a session-related cookie to maintain state during the scanning process (e.g., to associate you with your scan results and to enforce rate limits). This cookie:

Contains no personal information
Is not used for tracking or analytics
Expires when your browser session ends or within 24 hours
Is strictly necessary for the tool to function

4.5 No Third-Party Cookies

No third party sets cookies through our website. When you visit celvexgroup.com, the only cookies that may appear in your browser are the essential ones listed above, set by us.

4.6 No Consent Banner Needed

Because we do not use tracking cookies, we do not display a cookie consent banner. There is nothing to consent to. We believe this is better for everyone: you get a cleaner browsing experience, and we do not have to pretend that an "accept all cookies" button is meaningful consent.

4.7 Questions

If you have questions about our cookie practices: privacy@celvexgroup.com

security.txt

RFC 9116 Standard Implementation

The following content is placed at /.well-known/security.txt on celvexgroup.com:

Contact: mailto:security@celvexgroup.com
Expires: 2027-03-18T00:00:00.000Z
Preferred-Languages: en
Canonical: https://celvexgroup.com/.well-known/security.txt
Policy: https://celvexgroup.com/responsible-disclosure
Hiring: https://celvexgroup.com/careers

This file follows the RFC 9116 standard for reporting security vulnerabilities. The Expires field is updated annually.

Scanning and Testing Disclaimer

Effective Date: March 18, 2026

This disclaimer applies to all scanning and testing services provided by CELVEX Group, whether free or paid. Please read it carefully.

We are your trusted security partner. Our goal is straightforward: to help you identify and fix security issues before bad actors find them. We would never do anything to compromise that trust. Everything described below exists to protect both of us so we can focus on that shared mission.

6.1 Free Scan Tool -- Passive Scanning Only

The CELVEX Group free scan tool performs passive scanning only. This means:

It uses only publicly available information -- the same information that any person or search engine can access on the open internet.
It queries public DNS records, certificate transparency logs, publicly accessible HTTP headers, WHOIS records, and similar publicly available data sources.
It does not probe, exploit, brute-force, fuzz, authenticate to, or actively interact with target systems beyond what a standard web browser does in the normal course of loading a webpage.
It does not attempt to discover or exploit vulnerabilities.
It does not access any non-public data, restricted areas, or authenticated portions of any system.
It does not send any traffic that could be considered hostile, intrusive, or anomalous.

The free scan tool and all results it produces are provided "AS IS," without warranties of any kind. CELVEX Group makes no representations or warranties regarding the accuracy, completeness, reliability, timeliness, or usefulness of free scan results. The free scan tool is provided as a courtesy to the security community, and its use is entirely at your own risk.

6.2 Paid Testing -- Authorized, Scoped, and Coordinated

All paid penetration testing and security assessment work performed by CELVEX Group is:

Authorized: Conducted only with the client's explicit written authorization, as documented in a signed Statement of Work.
Scoped: Limited strictly to the systems, applications, networks, and environments identified in the SOW.
Coordinated: Scheduled during agreed testing windows and coordinated with the client's technical and operations teams.
Professional: Conducted by experienced security professionals following industry-standard methodologies and best practices.

The client acknowledges that authorized security testing may involve interacting with production systems in ways that could potentially cause unexpected behavior, service disruption, or other impacts. By signing a Statement of Work authorizing testing, the client accepts the inherent risks of security testing and agrees that CELVEX Group is not liable for impacts that occur during testing activities conducted within the agreed scope and parameters.

6.3 No Denial-of-Service or Destructive Testing

CELVEX Group does NOT perform denial-of-service attacks, distributed denial-of-service attacks, heavy load testing, stress testing, capacity testing, or any form of destructive testing against production systems.

This is a core principle, not a footnote.

The sole exception is when the client has specifically engaged CELVEX Group for resilience, load, or stress testing under a signed Statement of Work that:

Explicitly describes the nature and scope of the testing
Defines acceptable load levels and escalation thresholds
Specifies coordinated testing windows agreed upon by both parties
Includes a documented kill-switch procedure for immediate cessation of testing
Confirms the client has appropriate monitoring, safeguards, and rollback capabilities in place

Under no other circumstances will CELVEX Group intentionally generate traffic, request volumes, or system loads designed to test or exceed the capacity of a client's systems.

6.4 No Guarantee of Findings Accuracy or Completeness

Security assessments are conducted with professional care and diligence. However, CELVEX Group does not warrant or guarantee that:

All findings are accurate or free from false positives
All vulnerabilities present in the assessed systems have been discovered
Findings reflect the current state of systems at any time after the assessment was conducted
Remediation of reported findings will make a system secure against all threats
Any particular vulnerability will or will not be exploited by third parties

No security assessment can provide absolute assurance. The threat landscape is dynamic, systems change continuously, and new vulnerabilities are discovered daily. Our assessments represent a professional evaluation at a specific point in time using specific methodologies.

6.5 No Liability for Client Remediation Decisions

CELVEX Group reports findings and provides remediation guidance based on our professional judgment. The decision of whether, when, and how to remediate is entirely the client's. We are not liable for:

The client's decision not to remediate a reported vulnerability
The client's delay in remediating a reported vulnerability
Inadequate or incorrect remediation performed by the client or the client's other vendors
Consequences arising from the client's prioritization decisions regarding reported findings

We strongly encourage clients to remediate critical and high-severity findings promptly, and we are always available to advise -- but the responsibility for remediation decisions rests with the client.

6.6 No Liability for Breaches

CELVEX Group is not liable for security breaches, data loss, unauthorized access, or other security incidents affecting the client's systems, whether such incidents occur before, during, or after an engagement. This includes, without limitation:

Breaches exploiting vulnerabilities that were reported by CELVEX Group but not remediated by the client
Breaches exploiting vulnerabilities that were not discovered during the engagement
Breaches occurring through attack vectors that were outside the scope of the engagement
Breaches caused by changes to the client's systems made after the engagement
Breaches caused by third parties, insider threats, or social engineering

Our role is to help you understand and reduce your risk. We do that with dedication and integrity. But we cannot guarantee outcomes in an adversarial environment, and we are not an insurance policy against future incidents.

6.7 Your Responsibility

By using any CELVEX Group service, you acknowledge that:

You are responsible for your own security posture and remediation decisions
You will not rely on any CELVEX Group scan, assessment, or report as your sole basis for security decisions
You understand that security is an ongoing process, not a one-time activity
You will maintain your own security monitoring, incident response, and remediation capabilities

6.8 Contact

Questions about this disclaimer: legal@celvexgroup.com

Trusted Partner Statement

Effective Date: March 18, 2026

We exist to help you find and fix security issues before attackers do.

This is not a marketing tagline. It is the reason CELVEX Group exists. Every service we offer, every tool we build, and every engagement we take on is guided by a simple commitment: to make our clients more secure.

We operate with integrity, transparency, and respect for your systems. When you invite us to examine your security posture -- whether through our free scan tool or a full-scope penetration test -- you are placing your trust in us. We do not take that lightly. We treat every engagement as a partnership built on mutual respect and shared goals.

We never test without authorization. Our free scan tool gathers only publicly available information. Our paid testing services operate strictly within the scope you define and authorize. We do not exceed boundaries, and we do not take liberties with access.

We never access data beyond what is needed for the engagement. If we encounter sensitive data during testing, we stop, document the access path, report it to you, and move on. We do not copy, retain, or use sensitive data beyond what is strictly necessary to demonstrate the finding.

We never leverage findings for anything other than your benefit. When we discover a vulnerability, we report it to you so you can fix it. We do not use findings to embarrass, threaten, extort, or gain advantage over anyone. We do not sell vulnerability information. We do not disclose your vulnerabilities to third parties.

We are on your side. The security landscape is challenging enough without wondering whether your security partner has your best interests at heart. We do. Our business succeeds when our clients are more secure. That alignment of incentives is by design.

We hold ourselves to the highest standards of professional conduct. We invest in our people, our tools, and our methodologies so that when you engage CELVEX Group, you are getting the best we have to offer.

This is our promise to every client, every user, and every organization we work with: we will always act in your best interest, with honesty, professionalism, and care.

If you ever feel we have fallen short of this commitment, we want to know. Reach out to us directly at trust@celvexgroup.com and our leadership team will respond personally.

All legal pages are owned and maintained by CELVEX Group. For questions, contact legal@celvexgroup.com.

↑ Back to top