Security & Responsible Disclosure Policy

Security & Responsible Disclosure Policy

1. Purpose

Meridian Verity Group LLC (“MVG”) welcomes good-faith security research that helps us protect our users, customers, and the people affected by high-stakes AI deployments.

2. Scope

This policy applies to security vulnerabilities in MVG-controlled systems, including:

meridianverity.com and MVG-operated web properties

MVG-controlled APIs and enterprise services (if you have authorization)

MVG-owned software artifacts distributed by MVG (if explicitly in scope)

This policy does not apply to third-party systems not controlled by MVG (even if linked from the Site).

3. How to report

Email: security@meridianverity.com

Please include, if possible:

A clear description of the issue and impact

Steps to reproduce (and minimal proof-of-concept, if needed)

Affected URLs/endpoints/components and timestamps

Any relevant logs or screenshots (avoid including sensitive personal data)

Your preferred credit name/handle (optional)

If you need an encrypted channel (PGP), request it at the email above. MVG publishes security.txt at /security.txt (and mirrors at /.well-known/security.txt where supported) for contact details and keys.

4. Good-faith testing rules (do-not-do list)

To qualify for safe-harbor treatment under this policy, you must:

Act in good faith and avoid privacy violations, data destruction, and service disruption.

Do not perform denial-of-service (DoS/DDoS) attacks, load testing, or spam.

Do not access, modify, or exfiltrate data that is not yours. If you encounter sensitive data, stop and report immediately.

Do not use social engineering, phishing, or physical attacks.

Do not persist or escalate access beyond what is necessary to demonstrate the vulnerability.

Use only accounts and test data you own or are explicitly authorized to use.

5. Safe harbor statement (good-faith research)

MVG’s intent is to authorize and support good-faith security research conducted under this policy.

If you comply with this policy in good faith, MVG will:

Not initiate or support legal action against you for the specific research activities you performed in compliance with this policy,

Consider your activities to be authorized under this policy to the extent permitted by applicable law,

Work with you to understand and validate the report and to remediate the issue.

Limitations: This safe-harbor statement does not apply to actions that are unlawful, malicious, or outside the scope/rules above. It also cannot bind third parties or override mandatory legal obligations. This policy does not grant authorization to access data belonging to any third party.

6. Coordinated disclosure

We prefer coordinated disclosure. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.

We will acknowledge receipt and attempt to provide status updates on a reasonable cadence. Timelines vary by severity and complexity.

7. Vulnerability Disclosure Program (VDP) & advisories

MVG operates a public vulnerability disclosure program (VDP). We accept good‑faith reports via security@meridianverity.com (see PGP).

Anti‑phishing: official responses and releases come only from @meridianverity.com. If a claim cannot be traced to our published receipts, treat it as unverified and report it to security@meridianverity.com.

8. Legal notes

This policy is not a license to break the law or violate third-party rights.

Nothing in this policy creates contractual obligations unless explicitly incorporated into a written agreement.

MVG may modify this policy at any time by posting an updated version.

9. Website publication guidance

Recommended placement: /security or /trust/security.

Also publish: /.well-known/security.txt (strongly recommended) and keep it current.

Change log

v1.0.0 - Initial publication.