Security & Disclosure Policy | DataWizual Security

Research Scope

In Scope

Publicly accessible repositories and configurations
CI/CD workflow definitions (GitHub Actions, GitLab CI, Jenkinsfiles)
Infrastructure-as-Code files — Terraform, Kubernetes, Helm, Dockerfiles
Dependency manifests — requirements.txt, package.json, Cargo.toml
Chain analysis – correlation of findings across multiple files/directories
Environments explicitly authorized by the client in writing

Out of Scope

Private infrastructure systems without written authorization
Live exploitation or payload execution against any system
Social engineering or phishing of any party
Denial-of-Service testing
Access to production data or credentials
Attempting to bypass hardware‑bound licensing mechanisms

Research Principles

Non-Intrusive Analysis

All analysis is limited to static artifacts — source code, configuration files, dependency manifests, and CI/CD definitions. We never connect to, probe, or interact with live systems, APIs, or services in the course of an audit. Chain Analysis operates on static findings only, correlating them without runtime execution.

No Exploitation

We identify vulnerabilities and document them. We never execute payloads, attempt privilege escalation, or demonstrate exploitability against any live environment. Proof-of-concept is limited to isolated, controlled reproduction where explicitly authorized.

Privacy-First

We do not collect, store, or transmit private user data encountered during analysis. If sensitive data (credentials, PII, private keys) is found during an authorized audit, it is documented in the confidential report and immediately purged from our local environment. The AI advisory layer (Gemini, Groq, or local LLM) receives only anonymised finding summaries — never raw source code.

Coordinated Disclosure

All significant findings are reported privately to the authorized contact before any public disclosure. We follow a 90-day coordinated disclosure window — findings remain confidential until a fix is released or 90 days elapse, whichever comes first, unless mutually agreed otherwise. Findings involving chain analysis (multi‑step attack paths) are treated with the same confidentiality window.

Disclosure Process

1

Private Notification

Findings are reported privately to the affected party via official security channels or the contact listed in their security.txt.

2

Detailed Report Delivery

A structured findings report is provided with severity ratings, CWE references, reproduction steps, chain analysis (if applicable), and concrete remediation guidance.

3

90-Day Confidentiality Window

Findings are kept strictly confidential for 90 days or until a fix is released. Extensions can be negotiated with written agreement from both parties.

4

Acknowledgement Timeline

DataWizual commits to acknowledging all inbound reports within 3–7 business days of receipt.

Product Privacy Commitments

These commitments apply to all DataWizual products — Auditor Core v2.2.1 and Sentinel Core v2.2.1.

Zero Telemetry

Neither product collects, transmits, or stores usage data of any kind. There are no analytics, no crash reporters, no license phone-home checks after initial activation. The engines operate in full silence.

Source Code Never Leaves Your Machine

The AI advisory layer (Gemini, Groq, or local LLM) receives only structured finding summaries — never raw source code, file contents, or repository paths. Chain analysis is performed locally. All full-text analysis runs locally. For air‑gapped environments, local LLM mode eliminates all outbound network calls.

No Self-Update or Remote Rule Fetching

The detection logic is compiled into Cython binaries at build time. The engines never download rule updates, fetch remote signatures, or modify themselves at runtime. What you receive is what runs — permanently.

Hardware-Bound Licensing — No Central Server

License validation is a local cryptographic operation against your Machine ID. There is no license server, no activation call, and no revocation mechanism that requires internet access.

Context Intelligence & Gate Override

Context Intelligence automatically excludes findings in test/, docs/, and examples/ from SPI calculation. Gate Override caps the effective grade at C when CRITICAL findings exist in production code — eliminating false confidence. These are purely local, deterministic calculations with no data leakage.

Safe Harbor

This policy is intended to provide Safe Harbor under applicable laws for researchers acting in good faith and within the terms described herein.

DataWizual will not pursue legal action, civil or criminal, against individuals who:

Conduct research within the defined scope above
Avoid accessing, modifying, or deleting data that does not belong to them
Report findings promptly and in good faith via the security contact
Do not publicly disclose findings before the 90-day window expires or a fix is released

Safe Harbor does not apply to research conducted outside the defined scope, research that causes harm, or disclosure that violates the confidentiality agreement.

License Terms Summary

Full terms are provided with each product delivery. Key points:

Each License Key is bound to a single Machine ID — non-transferable
Reverse engineering, decompiling, or extracting Cython binaries is prohibited
Redistribution of any product component without written permission is prohibited
License is granted for use within the authorized organization only
Source code remains the intellectual property of DataWizual Security
Chain Analysis and Gate Override are integral parts of the licensed software