Security & Vulnerability Disclosure

Last updated: June 18, 2026

Security is foundational to Hanalyx — we build the tooling teams use to make production changes safe, auditable, and reversible. We welcome reports from the security community and treat every disclosure seriously.

Reporting a vulnerability

Email security@hanalyx.com with the details below. If a report is sensitive, ask us for a secure channel before sending specifics. Please do not disclose the issue publicly until we have had a chance to address it.

  • A clear description of the issue and its potential impact
  • Step-by-step instructions to reproduce it
  • Affected URL, product, version, or endpoint
  • Any proof-of-concept code, logs, or screenshots (please avoid real customer data)

Coordinated disclosure

We aim to acknowledge new reports within three business days, validate and triage promptly, and keep you updated as we work toward a fix. We are glad to credit researchers who report valid issues in good faith, unless you prefer to remain anonymous. We ask for reasonable time to remediate before any public disclosure.

Safe harbor

We will not pursue or support legal action against researchers for security testing and disclosure conducted in good faith and consistent with this policy. Act in good faith, avoid privacy violations and service disruption, and only interact with accounts you own or have explicit permission to test.

In scope

  • hanalyx.com and its subdomains
  • The OpenWatch and Kensa open-source projects
  • Downloadable artifacts and evidence templates we publish

Out of scope

  • Denial-of-service (DoS/DDoS) and volumetric or brute-force testing
  • Social engineering, phishing, or physical attacks against staff or facilities
  • Reports from automated scanners without a demonstrated, exploitable impact
  • Findings that require a highly unlikely amount of user interaction

How we protect our products

  • Encryption in transit (TLS) and at rest for data we hold
  • Least-privilege access and audited administrative actions
  • Signed, machine-verifiable evidence for every change our tools make
  • Continuous dependency monitoring and timely patching
  • Engineering aligned with NIST 800-53, DISA STIG, and CIS Benchmarks

Standards & certifications

Hanalyx is a Service-Disabled Veteran-Owned Small Business (SDVOSB). Our work draws on deep federal cybersecurity experience and aligns with FIPS 140-2/3-validated cryptography, NIST 800-53, DISA STIG, and CIS Benchmarks.

Contact

Security reports: security@hanalyx.com. For anything else, visit our contact page.