Is Areebi SOC 2 certified?

Areebi deploys entirely inside your infrastructure, so your existing SOC 2 controls cover the runtime environment. Areebi provides the audit logging, access controls, and policy enforcement you need to demonstrate compliance to your auditor. SOC 2 Type II certification for Areebi's own corporate controls is planned for 2026; we will publish the attestation when it is complete.

Where is Areebi data stored?

All data stays within your infrastructure. Areebi deploys as a self-hosted Docker image - on-premises, in your VPC, or air-gapped. No prompts, responses, or documents are sent to external servers.

Does Areebi sign BAAs for HIPAA compliance?

Because Areebi runs entirely within your environment, the traditional BAA model does not apply. Your organization maintains full control of all protected health information. Areebi provides HIPAA-specific DLP patterns and audit controls.

Public commitment

Responsible disclosure program

Areebi does not yet operate a paid bug bounty. We are pre-customer. What we commit to today is a fast, fair, public process for every researcher who finds and reports a real security issue.

Report vulnerabilities to security@areebi.com. Public PGP key and machine-readable policy live at /.well-known/security.txt.

What we commit to

Four public promises to every researcher

No paid bounty yet, but the rest of the program runs today. These promises hold whether or not you ever talk to our sales team.

48 hour acknowledgement

Every report submitted to security@areebi.com receives a human acknowledgement within 48 hours, including a tracking reference and a named contact on our security team.

Public patched-vulnerability advisories

When a reported vulnerability is patched, we publish an advisory on this Trust Center and (where applicable) request a CVE via MITRE. We do not suppress disclosure once a fix has shipped.

Credit to researchers

We credit researchers by name in every advisory unless they prefer anonymity. Our Hall of Fame is published below and will list every researcher whose report leads to a fix.

Paid bounty once revenue lands

We do not yet operate a paid bug bounty. We are pre-customer and pre-revenue. We commit to launching a paid program once our first paying customer is live, and to backdating eligible reports filed before that date.

Scope

What is, and is not, in scope

Stay inside the in-scope list. If you find a real security impact outside that list, email us anyway and we will route appropriately.

In scope

+areebi.com and all subdomains under areebi.com
+Our public marketing properties served from this domain (Trust Center, blog, /platform, /resources)
+Open-source contributions Areebi maintains on the mitsubishyy/anything-llm fork
+Areebi-authored open-source repositories under the mitsubishyy GitHub organisation

Out of scope

-Third-party SaaS used for marketing operations (Vercel hosting, Plausible analytics, Cal.com scheduling) - report directly to those vendors
-Social engineering against Areebi staff, contractors, or partners
-Volumetric denial-of-service tests or any test that knowingly degrades availability
-Automated scanner output submitted without analyst triage or a working proof-of-concept
-Reports that depend on outdated browsers, end-of-life operating systems, or unsupported runtimes
-Issues with no realistic security impact (clickjacking on static pages, missing CSP on assets, version disclosure)

How to report

The submission workflow

A good report cuts our triage time in half. Here is what we need.

Email security@areebi.com from any address you control. Use PGP if your finding involves a live exploit; the key is published in /.well-known/security.txt.
Include a proof-of-concept or step-by-step reproduction. A working PoC moves you to the front of the queue and unlocks faster triage.
Describe the impact in business terms. Who can do what, to which data, under what preconditions.
Tell us how you want to be credited (real name, handle, or anonymous). We default to real name credit; let us know if you prefer otherwise.
Hold publication until we confirm a fix has shipped, or until 90 days have passed from your report, whichever comes first. Coordinated disclosure windows are negotiable on a per-report basis.

Email security@areebi.com View security.txt

Vulnerability handling SLA

Defined triage and fix-target times by severity

Severity is assigned by Areebi's security team using CVSS 3.1 as a starting point, then adjusted for real-world exploitability and customer impact.

SeverityTriageFix targetTypical examples

Critical24 hours7 daysActive exploitation, remote code execution, unauthenticated data access, secret exposure.

High48 hours14 daysAuthenticated privilege escalation, sensitive data exposure to limited audience, persistent XSS.

Medium1 week30 daysNon-persistent XSS, CSRF on lower-risk endpoints, information leaks without direct PII impact.

Low2 weeksNext scheduled releaseHardening recommendations, defence-in-depth findings, theoretical issues with mitigating controls.

Fix targets refer to internal patch availability. Customer notification and release scheduling follow our CVE disclosure process.

Hall of Fame

Researchers we owe a thank-you to

We publish credit publicly. The list starts the day our first valid report lands.

No reports yet

The first published acknowledgement will appear here. We commit to public credit (with the researcher's consent) and to a permanent entry on this page, not a transient mention.

Researchers who request anonymity will be acknowledged as "anonymous researcher" with the date and a brief impact summary.

What we will not do

Pursue legal action against good-faith researchers who follow this policy
Require an NDA or any contract before you submit a report
Ask you to remove your published research after a coordinated disclosure window closes
Threaten to involve law enforcement for reports submitted to security@areebi.com in good faith
Silently patch without acknowledging the reporter (unless the reporter requests anonymity)

These commitments are non-retractable. If you ever feel Areebi is in breach of any of them, email security@areebi.com with the subject line "Disclosure policy escalation" and our leadership team will respond personally.

Continue exploring the Trust Center

Our disclosure program slots into a broader public security commitment.

CVE disclosure history Public threat models SOC 2 readiness

Report a vulnerability Back to Trust Center

Taking longer than expected.

Reload the page

Responsible disclosure program

Areebi does not yet operate a paid bug bounty. We are pre-customer. What we commit to today is a fast, fair, public process for every researcher who finds and reports a real security issue.

Report vulnerabilities to security@areebi.com. Public PGP key and machine-readable policy live at /.well-known/security.txt.