Security
How to report a vulnerability, the safe harbor for good-faith research, and how we handle data.
Last updated: June 2026
On this page
Fortiori delivers offensive-security consulting under signed engagement agreements. This page describes how we operate the platform that supports that work — the www.fortiori.io website, contact channels, and ancillary surfaces — and how to reach the security team if you find a problem. We welcome good-faith security research.
Vulnerability disclosure
If you believe you have found a security issue affecting Fortiori, email security@fortiori.io with a description, a reproduction path, and any artifacts that help us confirm the issue. Encrypted reports are welcome; ask for our PGP key in your first message. A machine-readable summary of this policy is published at /.well-known/security.txt (RFC 9116).
Scope
In scope: the public Fortiori marketing properties at www.fortiori.io and subdomains under our control.
Out of scope: third-party services we rely on (report those to the relevant provider); social engineering or phishing of Fortiori staff, customers, or vendors; physical attacks; denial-of-service testing; and separate Fortiori products, which have their own security and disclosure channels.
Safe harbor
We support good-faith security research and do not want you to fear legal risk for helping us. If you make a good-faith effort to comply with this policy during your research:
- We consider your research authorized under applicable anti-hacking laws, and we will not initiate or support legal action against you for it;
- We waive any relevant restrictions in our Terms of Service for that limited research purpose;
- If a third party brings legal action against you and you have complied with this policy, we will take steps to make known that your actions were authorized.
This authorization is limited to activity within scope and does not bind independent third parties. If you are unsure whether something is permitted, ask us first at security@fortiori.io.
Rules for researchers
To stay within the safe harbor, please:
- Access only the minimum data needed to demonstrate an issue; do not view, modify, or delete data that is not yours;
- Stop and report immediately if you encounter personal or confidential data;
- Do not run denial-of-service tests or anything that degrades service for others;
- Do not perform social engineering, phishing, or physical attacks;
- Give us a reasonable time to remediate before any public disclosure.
Response expectations
We acknowledge reports within two business days during the support window described in our support posture (Monday-Friday, 9am-5pm ET). Initial triage lands within five business days. Severity, remediation timeline, and disclosure coordination are scoped per report.
Major findings will receive a public-facing acknowledgement at the reporter's discretion once a fix is shipped. We do not require a fix-first NDA; we do ask reporters to hold disclosure for a reasonable mitigation window.
Coordinated disclosure
We practice coordinated disclosure aligned with industry norms (ISO/IEC 29147 and 30111). We ask that you give us a reasonable window to remediate before any public disclosure — typically up to 90 days — and we will work with you on timing for complex fixes.
Recognition
With your consent, we are glad to credit you publicly once a fix has shipped. Let us know in your report how you would like to be acknowledged.
Bug bounty
Fortiori does not operate a paid bug bounty program at this time. We acknowledge reporters publicly with consent and prioritize remediation of confirmed findings. If this changes — e.g. a formal program launches — we will note it here and update the disclosure channel above.
Compliance posture
Fortiori operates with SOC 2-style controls — least-privilege access, audit logging, encryption in transit and at rest, vendor diligence, change-management gates — without a current Type II attestation. A formal audit commitment is tracked as a separate business decision and will be communicated here when scheduled.
Engagement deliverables, evidence, and client-affecting infrastructure are scoped under the controls described in the specific engagement contract and any client-specific security requirements layered on top.
Data handling
Marketing-surface data (contact-form submissions, newsletter subscriptions, and consent-gated analytics) is described in our Privacy Policy; notably, we never store raw visitor IP addresses, only salted hashes for abuse prevention. Engagement data is governed by the engagement contract: stored on infrastructure dedicated to the engagement, accessed only by named Fortiori personnel, retained per contract, and destroyed on completion unless the contract requires longer retention.
We use vendors for email delivery, error telemetry, and operational hosting. The vendor list and processing purposes are enumerated on our Third-Party Service Providers page.
Engagement confidentiality
Engagements begin with a mutual non-disclosure agreement. Findings, methodologies, and telemetry from a client engagement do not flow into any other client engagement, marketing content, or public commentary without explicit written consent. Where engagement learnings shape a public artifact (e.g. a blog post, conference talk, training module), the artifact is anonymized and reviewed against the engagement NDA before publication.