Astronort Limited Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Astronort Limited
Version 2.0 — May 2026

This policy should be read alongside the Ask Astro Terms of Service, Privacy Policy, and Data Protection Assurance, all available at www.askastro.ai.

Introduction

Astronort Limited welcomes feedback from security researchers and the public to enhance our security. If you find any security issues, such as vulnerabilities or exposed data, in our systems, we want to know. This policy explains how to report these issues, what we expect from you, and what you can expect from us.

Where we make material changes to this policy, we will provide at least 14 days' written notice by email before those changes take effect. Non-material changes (such as corrections or clarifications) may take effect immediately.

Systems in scope

This policy applies to any digital assets owned, operated, or maintained by Astronort Limited.

Out of scope

  • Systems or equipment not owned by Astronort Limited.

If you find or suspect vulnerabilities in systems not covered by this policy, please report them to the appropriate party.

Note for Ask Astro customers: The Ask Astro Terms of Service (clause 3.4) prohibit access to the Services for the purposes of penetration testing, benchmarking, or monitoring availability without our prior written consent. If you are a customer and wish to conduct authorised security testing, please contact us at security@astronort.com before proceeding.

Our commitments

When you report a vulnerability to us, we will:

  • Respond quickly and work with you to understand and verify your report.
  • Keep you updated on the progress of fixing the issue.
  • Fix the vulnerability as soon as possible, considering our operational limits.
  • Provide Safe Harbour for your research conducted in accordance with this policy.
  • Where a reported vulnerability constitutes or leads to a security incident affecting customer data, notify affected customers in accordance with our security incident notification obligations (within 72 hours of becoming aware of the incident, to the extent feasible), and notify the Office of the Privacy Commissioner where required under the Privacy Act 2020 (NZ).

Our expectations

When participating in our vulnerability disclosure program, we ask that you:

  • Play by the rules, including following this policy and any other relevant agreements. If there's a conflict between this policy and other applicable terms, this policy takes precedence for the purposes of security research conducted in accordance with it.
  • Report vulnerabilities as soon as you find them.
  • Do not violate privacy, disrupt our systems, destroy data, or harm the user experience.
  • Use only the Official Channels to communicate about vulnerabilities.
  • Give us at least 90 days to fix the issue before you make it public.
  • Only test systems covered by this policy and respect those that are not.
  • If you access unintended data, limit your access, cease testing, and report it immediately. Unintended data includes Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • Only use test accounts you own or have explicit permission to use.
  • Do not engage in extortion.

Official Channels

Report security issues via email to security@astronort.com with all relevant details. The more information you provide, the easier it will be for us to address the issue.

For privacy queries and data rights requests, please contact privacy@astronort.com.

Safe Harbour

When you follow this policy while conducting vulnerability research, we will:

  • Consider your research authorised under anti-hacking laws and not take legal action against you for accidental, good-faith violations of this policy.
  • Consider your research authorised under anti-circumvention laws and not bring claims against you for bypassing technology controls.
  • Waive certain restrictions in our Terms of Service and Acceptable Usage Policy that would otherwise prevent security research conducted in good faith in accordance with this policy.
  • Recognise your actions as lawful and beneficial to internet security if done in good faith.

You must still comply with all applicable laws. If a third party takes legal action against you and you followed this policy, we can confirm your compliance with other parties.

If you have any doubts or concerns about your research, please contact us through the Official Channels before proceeding.

Note: Safe Harbour only applies to legal claims under our control and does not bind third parties.

Vulnerability Disclosure Policy — Version 2.0, May 2026
Issued by Astronort Limited
Supersedes Version 1.0. To report a vulnerability: security@astronort.com