Security Policy
Our Commitment
CZM Labs is committed to protecting the security and privacy of our clients, partners, and users. We take a proactive approach to security and welcome collaboration with the security research community to identify and address vulnerabilities.
Scope
This policy applies to the following assets owned and operated by CZM:
- czm.ai (primary domain and all subdomains)
- cesium.co (domain and all subdomains)
- All public CZM Isotopes
- Public-facing web applications hosted by CZM Labs
- Models, MCPs, APIs and related services operated under CZM Labs' infrastructure
The following are explicitly out of scope:
- Third-party services and integrations not operated by CZM Labs
- Social media accounts
- Physical security concerns
- Social engineering attacks against CZM staff
- Denial of service (DoS/DDoS) testing
Reporting a Vulnerability
If you believe you have discovered a security vulnerability, we encourage you to report it promptly.
How to Report:
- Email: security@czm.ai
- Web Form: czm.ai/security/report
What to Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information (optional, but helpful for follow-up)
- Any supporting evidence (screenshots, logs, proof-of-concept code)
Encryption:
If you need to transmit sensitive details, please indicate your preference for secure communication.
Our Response Process
| Timeframe | Action |
|---|---|
| 72 hours | Initial acknowledgment of your report |
| 7 days | Preliminary assessment and severity determination |
| 30 days | Target remediation for critical and high-severity issues |
| 90 days | Target remediation for medium and low-severity issues |
We will keep you informed of our progress and notify you when the issue has been resolved.
Safe Harbor
CZM supports responsible security research. If you conduct your research in accordance with this policy, we will:
- Consider your research authorized and will not pursue legal action
- Work with you to understand and resolve the issue promptly
- Recognize your contribution (with your permission) on our acknowledgments page
To qualify for safe harbor:
- Act in good faith
- Avoid privacy violations, data destruction, and service disruption
- Do not access, modify, or delete data belonging to others
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Report findings promptly and allow reasonable time for remediation before any disclosure
What We Ask
- Do not publicly disclose vulnerabilities before we have had reasonable time to address them
- Do not use automated scanning tools in a way that degrades service availability
- Do not attempt to access accounts or data that do not belong to you
- Do not engage in phishing, social engineering, or physical attacks
Recognition
We believe in acknowledging the contributions of security researchers who help us improve. With your permission, we will list your name (or alias) on our Security Acknowledgments page.
At this time, CZM does not operate a paid bug bounty program. Recognition is provided through public acknowledgment only.
Data Handling
Any information you provide in a vulnerability report will be used solely for the purpose of addressing the security issue. We will not share your personal information with third parties without your consent, except as required by law.
Contact
For questions about this policy or our security practices:
- Email: security@czm.ai
- General Inquiries: human@czm.ai
Policy Updates
This policy may be updated periodically. Material changes will be reflected in the “Last Updated” date above. We encourage researchers to review this policy before conducting any testing.
Effective Date: December 1, 2025
Last Updated: December 1, 2025
We Respect Data
Our entire business depends on data, so naturally, we take it seriously. We will never sell your data to anyone, ever.
questions?