Research Scope
In Scope
- Publicly accessible repositories and configurations
- CI/CD workflow definitions (GitHub Actions, GitLab CI, Jenkinsfiles)
- Infrastructure-as-Code files โ Terraform, Kubernetes, Helm, Dockerfiles
- Dependency manifests โ requirements.txt, package.json, Cargo.toml
- Environments explicitly authorized by the client in writing
Out of Scope
- Private infrastructure systems without written authorization
- Live exploitation or payload execution against any system
- Social engineering or phishing of any party
- Denial-of-Service testing
- Access to production data or credentials
Research Principles
Non-Intrusive Analysis
All analysis is limited to static artifacts โ source code, configuration files, dependency manifests, and CI/CD definitions. We never connect to, probe, or interact with live systems, APIs, or services in the course of an audit.
No Exploitation
We identify vulnerabilities and document them. We never execute payloads, attempt privilege escalation, or demonstrate exploitability against any live environment. Proof-of-concept is limited to isolated, controlled reproduction where explicitly authorized.
Privacy-First
We do not collect, store, or transmit private user data encountered during analysis. If sensitive data (credentials, PII, private keys) is found during an authorized audit, it is documented in the confidential report and immediately purged from our local environment.
Coordinated Disclosure
All significant findings are reported privately to the authorized contact before any public disclosure. We follow a 90-day coordinated disclosure window โ findings remain confidential until a fix is released or 90 days elapse, whichever comes first, unless mutually agreed otherwise.
Disclosure Process
security.txt.Product Privacy Commitments
These commitments apply to all DataWizual products โ Auditor Core v2.1 and Sentinel Core v2.1.
Zero Telemetry
Neither product collects, transmits, or stores usage data of any kind. There are no analytics, no crash reporters, no license phone-home checks after initial activation. The engines operate in full silence.
Source Code Never Leaves Your Machine
The AI advisory layer (Gemini / Groq) receives only structured finding summaries โ never raw source code, file contents, or repository paths. All full-text analysis runs locally.
No Self-Update or Remote Rule Fetching
The detection logic is compiled into Cython binaries at build time. The engines never download rule updates, fetch remote signatures, or modify themselves at runtime. What you receive is what runs โ permanently.
Hardware-Bound Licensing โ No Central Server
License validation is a local cryptographic operation against your Machine ID. There is no license server, no activation call, and no revocation mechanism that requires internet access.
Safe Harbor
This policy is intended to provide Safe Harbor under applicable laws for researchers acting in good faith and within the terms described herein.
DataWizual will not pursue legal action, civil or criminal, against individuals who:
- Conduct research within the defined scope above
- Avoid accessing, modifying, or deleting data that does not belong to them
- Report findings promptly and in good faith via the security contact
- Do not publicly disclose findings before the 90-day window expires or a fix is released
Safe Harbor does not apply to research conducted outside the defined scope, research that causes harm, or disclosure that violates the confidentiality agreement.
License Terms Summary
Full terms are provided with each product delivery. Key points:
- Each License Key is bound to a single Machine ID โ non-transferable
- Reverse engineering, decompiling, or extracting Cython binaries is prohibited
- Redistribution of any product component without written permission is prohibited
- License is granted for use within the authorized organization only
- Source code remains the intellectual property of DataWizual Security
Security Contact
eldorzufarov66@gmail.com
Response time: 3โ7 business days ยท PGP encryption available