top of page

Vulnerability Disclosure Policy

Last Updated: March 17, 2026

1. Purpose

We are committed to ensuring the security and integrity of our systems, products, and services, including those leveraging Artificial Intelligence (AI), Large Language Models (LLMs), Agentic AI systems, and Model Context Protocol (MCP) integrations.

This Vulnerability Disclosure Policy (VDP) provides a clear process for security researchers and the public to responsibly report vulnerabilities so they can be identified, validated, and remediated in a timely manner.

 

2. Scope

This policy applies to all systems, services, and technologies owned, operated, or maintained by vCISO Pro LLC, including:

  • Web applications, APIs, and infrastructure

  • Security tools and consulting-delivered platforms

  • AI/ML systems, including:

    • Large Language Models (LLMs)

    • Agentic AI systems (autonomous or semi-autonomous decision-making agents)

    • Model Context Protocol (MCP) implementations and integrations

    • Retrieval-Augmented Generation (RAG) pipelines

    • Prompt orchestration and tool-use frameworks

  • Data processing pipelines and model training environments

Out of Scope

  • Third-party systems not owned or controlled by vCISO Pro LLC

  • Social engineering or phishing attacks against employees

  • Physical security testing

  • Denial of service (DoS/DDoS) attacks

 

3. Types of Vulnerabilities

We encourage reporting of vulnerabilities including, but not limited to:

Traditional Security Issues

  • Authentication and authorization flaws

  • Injection vulnerabilities (SQL, command, etc.)

  • Cross-site scripting (XSS), CSRF

  • Sensitive data exposure

AI/LLM/Agentic-Specific Issues

  • Prompt injection and prompt leakage

  • Jailbreaking or model behavior bypass

  • Data exfiltration via LLM outputs

  • Training data leakage or memorization risks

  • Model inversion or extraction attacks

  • Unsafe tool execution in agentic workflows

  • Unauthorized access via MCP integrations

  • Context poisoning in RAG pipelines

  • Hallucination-induced security risks where outputs could lead to harm

  • Privilege escalation via AI-driven automation

 

4. How to Report a Vulnerability

Please report vulnerabilities by sending an email to:

info@vcisopro.com

Include the following details:

  • Description of the vulnerability

  • Steps to reproduce

  • Proof-of-concept (if available)

  • Impact assessment

  • Affected systems or endpoints

 

5. Our Commitment

When you report a vulnerability, we commit to:

  • Acknowledge receipt within 3–5 business days

  • Provide status updates as appropriate

  • Investigate and validate findings promptly

  • Remediate confirmed vulnerabilities in a risk-based timeframe

  • Coordinate disclosure where appropriate

 

6. Safe Harbor

We support responsible security research and will not pursue legal action against researchers who:

  • Act in good faith

  • Avoid violating privacy or disrupting services

  • Do not exploit vulnerabilities beyond what is necessary for proof-of-concept

  • Do not access, modify, or delete customer data

 

7. Responsible Disclosure Guidelines

We request that researchers:

  • Do not publicly disclose vulnerabilities until we have had a reasonable opportunity to remediate

  • Allow coordinated disclosure timelines (typically 60–90 days)

  • Avoid accessing sensitive data unnecessarily

 

8. AI-Specific Disclosure Considerations

Given the evolving nature of AI systems:

  • Vulnerabilities involving LLM outputs should include prompt/response pairs

  • Agentic AI issues should describe tool chains, permissions, and execution paths

  • MCP-related issues should include context flow, boundaries, and trust assumptions

  • Reports involving model behavior should clearly distinguish between:

    • Expected probabilistic behavior

    • Security-relevant failure modes

 

9. Recognition

We appreciate the efforts of security researchers and may offer acknowledgment or recognition at our discretion.

 

10. Policy Updates

This policy may be updated periodically to reflect changes in technology, including advancements in AI, LLMs, and agentic systems.

 

11. Legal

This policy does not grant permission for activities that violate applicable laws or regulations. All testing must comply with relevant legal requirements.

 

12. Contact

For questions regarding this policy, contact:

info@vcisopro.com

Thank you for helping us keep our systems, clients, and AI-driven technologies secure.

  • Facebook
  • LinkedIn

© 2026 vCISO Pro LLC. All rights reserved. Cybersecurity consulting and fractional CISO services.

bottom of page