Vulnerability Disclosure Policy

Last updated: October 16, 2025

Aisle is committed to protecting the security and privacy of our customers and partners. We value the contributions of security researchers and others who help us identify and fix potential vulnerabilities responsibly.

Purpose

This policy provides a clear process for reporting potential security vulnerabilities in Aisle products or services. It enables responsible coordination between external reporters and our security team.

Scope

This policy applies to all Aisle-owned systems, applications, services, and websites.

It does not apply to third-party products or services not operated by Aisle. Activities such as social engineering, physical security testing, or denial-of-service attempts are out of scope.

How to Report a Vulnerability

Please email your report to [email protected]

You can also refer to our security.txt file at https://aisle.com/.well-known/security.txt

If you prefer encryption, our PGP key is available below.

Include as much information as possible

  • Affected product, service, or URL
  • Step-by-step reproduction or proof of concept
  • Expected vs. observed behavior
  • Impact assessment or severity (if known)
  • Your preferred contact method

Avoid sharing sensitive personal or customer data in your report whenever possible.

Our Commitment

  • We will acknowledge receipt within five (5) business days.
  • We will evaluate and triage the report promptly.
  • We will work with you to verify the issue and coordinate remediation.
  • We will notify you once the issue has been resolved or if further details are needed.
  • If appropriate, we may publicly acknowledge your contribution with your consent.

Good-Faith Research

We ask that you:

  • Do not share information about the vulnerability with others until we have confirmed that it has been resolved.
  • Do not abuse the vulnerability or use it to access, modify, or copy data that does not belong to you.
  • Do not disrupt or degrade Aisle services, use social engineering, or perform physical attacks.

If you act responsibly and in good faith while following this policy, Aisle will not pursue legal action related to your research. If a vulnerability is exploited or shared before it is remediated, Aisle reserves the right to take appropriate legal steps.

Privacy Notice

Information you share with us in a vulnerability report may be used to reproduce, resolve, and communicate about the issue.

We handle such information in accordance with our Privacy Policy.

Regulatory Alignment

This policy is established in line with recognized cybersecurity standards and frameworks, including EU NIS2 Directive (Art. 21), ISO/IEC 29147:2018, NIST SP 800-53 Rev. 5 (SI-12), and related CISA and ENISA guidance on vulnerability handling and disclosure.

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mJMEaPniMxMFK4EEACMEIwQApYS6rDV7UyI73CEw9BUkpOLn3gJYV1JKb88VWmcJ
vjRcXzCMNhmGVoRMzLGRctyywHcn9Zq9c9df8sOg0+1SN9AAsZOQBbnfBJfdw4hk
6HL46J9aSdhAILbQE3ahzJPZL6Vsa+uXQz+jbd8cl9kl+pvF0R7vfQ9snOu3uFgt
WEga2yS0QEFpc2xlIFNlY3VyaXR5IFRlYW0gKHZ1bG5lcmFiaWxpdHkgcmVwb3J0
cykgPHNlY3VyaXR5QGFpc2xlLmNvbT6I3AQTEwoAQRYhBL3MkpDaLaexiLph3zVm
wt2d8zsQBQJo+eIzAhsDBQkB1/kABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheA
AAoJEDVmwt2d8zsQRyYCBiKvwczxDxMk5s2VUK7RRkVHvkmLBns2Tfa9IdDGCUAq
9oiy8eWE0JNKvESWu6ybP5cIkMW4QeNnpUPSG+X17WV/AgkB1GrXWJJLbBLtx/mB
4HRLDbe1IpxJxujzSYmGapf5FvUugA69UklJAYW/fN/VOqHrAw+PCUFGgI44fcdq
hJcp/Ym4lwRo+eIzEgUrgQQAIwQjBAHS+Ph9WFpK/j9T5ico1eZaVNy4LZ34JOHP
TxDkAoAeKDD8ywxWWl2R1Yoy4m+C7ZYr01KIIlSbZdUtM6RUXfU0ngBgnVd3RLy6
n6ofMKJRv2CYkR7wmOjo/DFsh+cjfGRx1TTk7uQim9xxjFx4RpZMp9spllM1ry7I
eJshkCwzOnZ7XQMBCgmIwgQYEwoAJhYhBL3MkpDaLaexiLph3zVmwt2d8zsQBQJo
+eIzAhsMBQkB1/kAAAoJEDVmwt2d8zsQ8IcCCQF1t9GHduE0cblMYJwSG8CKpkHW
Odcx6UVSAIKCXD7QGboObNd54p2H/kPx7+K3QR/d8OPswBg36Z+Z5oIYXVGW4QIJ
AUccoq1lAo18hxao3qIUlYpZjBeQraF8wZVjLsoI3wE3Sa/m/lxnhvORAW9ynQiJ
XBA0nkltqkXMzWxVSUSb28lS
=j2+v
-----END PGP PUBLIC KEY BLOCK-----