Aria · Legal

Security Policy

Effective date: 2026-05-22 · Last updated: 2026-05-22

Reporting a vulnerability

Aria is a product of Lab 28 Technologies - FZCO (“28 Labs”), Dubai, UAE. We take security reports seriously. This page explains how to reach us, what we commit to do, and what we ask from you in return.

Email: roger@28labs.ai
Subject line: start with [security] so it routes correctly.

Please include:

  • A description of the vulnerability and the impact you believe it has.
  • Steps to reproduce, including any test accounts, URLs, or sample requests.
  • Your name or handle if you would like to be credited (optional).

If you need to send something sensitive, ask us in the first email and we will reply with an alternate channel.

We do not currently run a paid bug-bounty program. We publicly credit reporters of valid issues in our acknowledgements section below, with your consent.

What we commit to

StageOur SLA
Acknowledge receipt of your report5 business days
Initial triage (severity + reproducibility)10 business days
Remediation of confirmed high-severity issues14 days
Remediation of confirmed medium-severity issues30 days
Public disclosure after a fix is liveCoordinated with you

If we do not get back to you in the windows above, please re-send the email and ping us on a second channel - we are a small team and emails occasionally get missed.

What we ask from you

  • Do not access or modify data that does not belong to you. Use a test account; we are happy to provision one if you ask.
  • Do not run scans or automated tooling against our production systems without prior coordination - it can degrade service for other customers and is hard for us to distinguish from a real attack.
  • Do not perform denial-of-service testing, social-engineering attacks against 28 Labs staff, or physical attacks against our infrastructure.
  • Give us a reasonable opportunity to fix the issue before public disclosure.

We will not pursue legal action against researchers who follow this policy in good faith.

Scope

In scope:

  • The Aria web app: https://aria.28labs.ai
  • API endpoints under https://aria.28labs.ai/api/*
  • OAuth flows handled by Aria (Google sign-in, Gmail/Calendar grant)

Out of scope:

  • Subprocessor vulnerabilities (Supabase, Render, Anthropic, Google) - please report those to the relevant provider. We are happy to help coordinate if you contact us first.
  • Other 28 Labs projects and marketing properties not on the aria.28labs.ai hostname.
  • Findings that require physical access to a customer's device or browser.
  • Self-XSS that requires the user to deliberately paste a payload into their own browser console.
  • Missing security headers or cookie flags where there is no demonstrable impact (we will still fix them, but they are not bounty-worthy reports).

Machine-readable reference

This policy is also published at /.well-known/security.txt per RFC 9116.

Acknowledgements

We list researchers who responsibly disclosed valid issues here, with their permission. None yet - this section will populate as reports come in.