Vulnerability Disclosure Policy

At Julius AI, the security and confidentiality of our data and intellectual property are of paramount importance. We are responsible for safeguarding not only customer data, but also our proprietary technologies and other intellectual property (IP). To maintain high standards of security and compliance, we welcome responsible vulnerability disclosures from security researchers, partners, and the general public.

Julius AI believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between Julius AI and Security Researchers. Together, our vigilant expertise promotes the continued security and privacy of Julius AI customers and services.

This Vulnerability Disclosure Policy outlines the processes for reporting vulnerabilities, including those that may affect our sensitive data and intellectual property. This policy applies to all systems, technologies, and intellectual property owned, operated, or maintained by Julius AI.

Julius AI accepts vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers, and consultants. Julius AI defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability, or confidentiality of our services.

• We will respond to vulnerability reports promptly.
• We will not take legal action against those who report vulnerabilities in good faith and in accordance with this policy.
• We will work with researchers to validate, address, and remediate vulnerabilities in a timely manner.
• We will protect the confidentiality of sensitive data (PII, PHI) and intellectual property during the reporting and remediation process.
• We will acknowledge the efforts of researchers, subject to legal and policy constraints.

Guidelines for Responsible Disclosure

• Do not access, modify, or exfiltrate any customer data, or proprietary information (such as company data).
• Do not publicly disclose the vulnerability before Julius AI has had sufficient time to mitigate the issue.
• Do not use vulnerability discovery methods that disrupt or degrade our services (e.g., Denial of Service or brute-force attacks).
• Do make every effort to avoid violating the privacy of our customers or the confidentiality of our intellectual property during your testing.
• Do focus on demonstrating the vulnerability’s existence through a minimal proof of concept (PoC) that is necessary to identify the issue without attempting to access or extract any sensitive data.
• Do include sufficient details in your report, such as the vulnerability description, potential impact, steps to reproduce, and any evidence that may assist in validation.

Scope

This policy applies to vulnerabilities found in:

• Julius AI-owned and operated domains (e.g., *.julius.ai)
• Public APIs provided by Julius AI
• Julius AI’s web and application interfaces
• Infrastructure and services deployed under our control

Exclusions

The following activities are explicitly prohibited under this policy:

• Accessing or attempting to exfiltrate data
• Attacks that exploit intellectual property: Including reverse-engineering, extracting, or tampering with machine learning models or datasets
• Attacks targeting third-party providers: Including infrastructure integrated into Julius AI systems
• Social engineering attacks: Targeting our employees, contractors, or partners (e.g., phishing, pretexting)
• Denial of Service (DoS): Actions that degrade, disrupt, or inhibit our services
• Unauthorized access to or modification of data

Legal Compliance

This policy does not authorize activities that violate applicable laws or regulations, including but not limited to:

• Health Insurance Portability and Accountability Act (HIPAA): For systems involving PHI
• General Data Protection Regulation (GDPR): For systems involving PII
• Intellectual Property Law: Including the unauthorized use or disclosure of proprietary technologies

Safe Harbor

When conducting security research in accordance with this policy, Julius AI:

• Considers it authorized, lawful research
• Will not initiate legal action for good-faith, non-disruptive testing
• Will work with law enforcement or other third parties to explain that your activity was conducted in line with this policy

If you're unsure whether your actions are covered, please contact us at security@julius.ai before proceeding.

Reporting a Vulnerability

Julius AI recommends that security researchers share the details of any suspected vulnerabilities across any asset owned, controlled, or operated by Julius AI (or that would reasonably impact the security of Julius AI and our users) using the web form below.

The Julius AI Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.