Security Policy
Effective date: 2026-05-22 · Last updated: 2026-05-22
Reporting a vulnerability
Aria is a product of Lab 28 Technologies - FZCO (“28 Labs”), Dubai, UAE. We take security reports seriously. This page explains how to reach us, what we commit to do, and what we ask from you in return.
Email: roger@28labs.ai
Subject line: start with [security] so it routes correctly.
Please include:
- A description of the vulnerability and the impact you believe it has.
- Steps to reproduce, including any test accounts, URLs, or sample requests.
- Your name or handle if you would like to be credited (optional).
If you need to send something sensitive, ask us in the first email and we will reply with an alternate channel.
We do not currently run a paid bug-bounty program. We publicly credit reporters of valid issues in our acknowledgements section below, with your consent.
What we commit to
| Stage | Our SLA |
|---|---|
| Acknowledge receipt of your report | 5 business days |
| Initial triage (severity + reproducibility) | 10 business days |
| Remediation of confirmed high-severity issues | 14 days |
| Remediation of confirmed medium-severity issues | 30 days |
| Public disclosure after a fix is live | Coordinated with you |
If we do not get back to you in the windows above, please re-send the email and ping us on a second channel - we are a small team and emails occasionally get missed.
What we ask from you
- Do not access or modify data that does not belong to you. Use a test account; we are happy to provision one if you ask.
- Do not run scans or automated tooling against our production systems without prior coordination - it can degrade service for other customers and is hard for us to distinguish from a real attack.
- Do not perform denial-of-service testing, social-engineering attacks against 28 Labs staff, or physical attacks against our infrastructure.
- Give us a reasonable opportunity to fix the issue before public disclosure.
We will not pursue legal action against researchers who follow this policy in good faith.
Scope
In scope:
- The Aria web app: https://aria.28labs.ai
- API endpoints under
https://aria.28labs.ai/api/* - OAuth flows handled by Aria (Google sign-in, Gmail/Calendar grant)
Out of scope:
- Subprocessor vulnerabilities (Supabase, Render, Anthropic, Google) - please report those to the relevant provider. We are happy to help coordinate if you contact us first.
- Other 28 Labs projects and marketing properties not on the aria.28labs.ai hostname.
- Findings that require physical access to a customer's device or browser.
- Self-XSS that requires the user to deliberately paste a payload into their own browser console.
- Missing security headers or cookie flags where there is no demonstrable impact (we will still fix them, but they are not bounty-worthy reports).
Machine-readable reference
This policy is also published at /.well-known/security.txt per RFC 9116.
Acknowledgements
We list researchers who responsibly disclosed valid issues here, with their permission. None yet - this section will populate as reports come in.