Security Disclosure Policy

Effective Date: May 27, 2026 · Last Updated: May 27, 2026

ANKH OU takes the security of our systems, products, and user data seriously. We welcome and encourage responsible disclosure of security vulnerabilities. This policy outlines how to report vulnerabilities, what to expect from us, and what we ask of you.

1. Scope

This policy covers:

• raked.app and all subdomains.
• mcp-guard and all published packages.
• All APIs and services operated by ANKH OU.
• All open-source repositories under the ANKH OU / 0xRake GitHub organizations.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it responsibly:

• Email: rake@mechanist.ai
• Subject line: [SECURITY] Brief description
• PGP encryption: Available upon request for sensitive disclosures.

Please include:

1. Description of the vulnerability and its potential impact.
2. Step-by-step reproduction instructions.
3. Affected component(s), URL(s), or repository.
4. Any proof-of-concept code or screenshots.
5. Your assessment of severity (Critical / High / Medium / Low).

3. Our Commitment

• Acknowledgment: We will acknowledge receipt within 48 hours.
• Triage: We will triage and assess severity within 5 business days.
• Updates: We will provide status updates at least every 7 days until resolution.
• Resolution: We aim to resolve critical vulnerabilities within 30 days of confirmation.
• Credit: With your permission, we will publicly credit you in our security advisories.
• No legal action: We will not pursue legal action against researchers who follow this policy.

4. Safe Harbor

We consider security research conducted in accordance with this policy to be authorized conduct. We will not initiate legal action against you for security research activities that:

• Are conducted in good faith.
• Avoid privacy violations, data destruction, and service disruption.
• Do not access, modify, or delete data belonging to other users.
• Are reported promptly and exclusively to ANKH OU.
• Provide us reasonable time to remediate before any public disclosure.

This safe harbor applies to activities under the jurisdiction of any country where ANKH OU operates, including the European Union, European Economic Area, and the United States. If legal action is initiated by a third party against you for activities conducted under this policy, we will take steps to make it known that your actions were authorized.

5. Out of Scope

The following are explicitly out of scope:

• Social engineering or phishing attacks against ANKH OU personnel.
• Physical security attacks.
• Denial-of-service (DoS/DDoS) attacks.
• Automated vulnerability scanning that generates excessive traffic.
• Vulnerabilities in third-party services (Paddle, Vercel, Temporal Cloud) — report these to the respective vendor.
• Vulnerabilities requiring physical access to a device.

6. Severity Classification

We classify vulnerabilities using the following framework:

• Critical: Remote code execution, authentication bypass, data exfiltration affecting all users, cryptographic key compromise.
• High: Privilege escalation, stored XSS, SQL injection, SSRF with internal network access.
• Medium: Reflected XSS, CSRF, information disclosure of non-sensitive data, misconfiguration.
• Low: Missing security headers (informational), verbose error messages, minor information leaks.

7. Disclosure Timeline

• Day 0: Vulnerability reported to ANKH OU.
• Day 2: Acknowledgment sent to reporter.
• Day 5: Triage complete, severity confirmed.
• Day 30: Target remediation for Critical/High.
• Day 60: Target remediation for Medium.
• Day 90: Coordinated public disclosure (with reporter credit, if desired).

We request that you do not publicly disclose the vulnerability before the coordinated disclosure date. If we fail to remediate within the timeline, we will work with you to agree on an appropriate disclosure date.

8. Contact

• Security reports: rake@mechanist.ai
• General inquiries: Schedule a call

© 2026 ANKH OU. All rights reserved.