Vulnerability Disclosure

Assemblic Pty Ltd (ACN 638 522 675) (Assemblic, we, us, our) is committed to the security of our products, services, and systems. We welcome reports from security researchers and the public about potential vulnerabilities. This policy describes how to report security issues and what you can expect from us.

Scope

This policy applies to security vulnerabilities in Assemblic’s products and services, including:

• Assemblic web applications and APIs (including app.assemblic.com, www.assemblic.com, and related services)
• Assemblic-hosted Rules as Code platforms and supporting infrastructure
• Assemblic software, integrations, and documentation that we operate or maintain

If you are unsure whether a product or service is in scope, please contact us using the details below.

How to report

Please report suspected security vulnerabilities to:

Email: security@assemblic.com

We also publish a machine-readable security.txt file at /.well-known/security.txt on our internet-facing domains, in line with RFC 9116. That file contains our contact details and a link to this policy.

When reporting, please include:

• A description of the vulnerability and the affected product, service, or URL
• Steps to reproduce the issue, if possible
• Your name or identifier (if you wish to be acknowledged) and contact details so we can follow up

We encourage you to use encrypted email if you are reporting sensitive details. We will work with you to arrange a secure channel if needed.

What to expect

We will:

• Acknowledge receipt of your report within a reasonable timeframe (typically within a few business days)
• Assess the report and keep you informed of our assessment and any remediation progress where appropriate
• Notify you when the issue has been addressed, where practicable

We cannot guarantee a specific timeline for remediation; it will depend on the severity, complexity, and our release cycles. We will treat your report in confidence and in accordance with our security and incident response procedures.

Safe harbour

We support good-faith security research and responsible disclosure. Provided you:

• Make a good-faith effort to avoid privacy harm, data loss, and disruption to our services
• Do not access, modify, or delete data that does not belong to you
• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Report the vulnerability to us before disclosing it publicly and allow us a reasonable time to address it

we will not pursue legal action against you for the act of reporting the vulnerability. We may still need to take action to protect our systems and users, and we reserve the right to refer matters to law enforcement if we detect malicious or unlawful activity.

Out of scope

The following are generally out of scope for this policy:

• Social engineering or phishing directed at our staff or users
• Denial-of-service or resource-exhaustion attacks
• Issues in third-party services or software that we do not control (please report those to the relevant vendor)
• Vulnerabilities that require physical access or already-compromised user accounts, unless they have clear security impact

If in doubt, report the issue and we will assess it.

Contact us

For vulnerability reports or questions about this policy:

Assemblic Pty Ltd
Email: security@assemblic.com

Changes to this policy

We may revise this policy from time to time. The current version is always available at this page. We will update the Expires date in our security.txt file when we refresh our disclosure information.