Security

Security posture and vulnerability disclosure

A focused, technical view of how AXOS is built and supported, and how security researchers and customers can report issues.

Customer-controlled deployment

AXOS is designed to run inside infrastructure that the customer operates. Application data, prompts, and generated content stay within that boundary.

Defence in depth

Transport security (TLS 1.3), encryption at rest (AES-256), role-based access control, signed releases, and audit logging are applied across the AXOS surface.

Software supply chain

Dependencies are tracked, builds run from version-controlled sources, and releases are tagged. Known vulnerabilities are triaged on a defined cadence.

Coordinated vulnerability disclosure

We welcome reports from security researchers, customers, and the wider community. Reports are handled under a coordinated disclosure model — we ask reporters to give us a reasonable window to remediate before publicising findings.

Step 1

Report privately

Email security@scotitech.com with a clear description, reproduction steps, the affected component, and any proof-of-concept material. PGP key available on request.

Step 2

We acknowledge

We aim to acknowledge security reports within two business days, and to provide a first triage update within five business days.

Step 3

We remediate

Severity is assessed against CVSS and operational impact. Remediation is delivered through a regular or out-of-band release, depending on severity.

Step 4

Coordinated disclosure

We coordinate public disclosure with the reporter, typically after a fix is available and customers have had a reasonable window to update. Credit is offered with the reporter’s consent.

Safe harbour

If you research in line with the rules below, we will not pursue legal action and will treat your activity as authorised testing.

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Use only test accounts or your own data when investigating.
  • Do not access, modify, or retain data belonging to others.
  • Give us a reasonable opportunity to remediate before any public disclosure.
  • Stay within the scope of the AXOS marketing site, hosted demo, and components you operate.

Out of scope

The following activities are not authorised and reports based on them will be closed.

  • Social engineering of ScotiTech staff or customers.
  • Denial-of-service or volumetric testing against any AXOS-operated service.
  • Findings on third-party services that AXOS depends on (please report those upstream).
  • Reports based purely on missing security headers without a demonstrated impact.

Report a vulnerability

Send security reports to the address below. For machine-readable contact information, the AXOS security.txt follows RFC 9116.

If you believe a vulnerability is being actively exploited

Include the word URGENT in the subject line and provide as much context as possible. We monitor the security inbox during business hours and will escalate out-of-hours where the report indicates active exploitation.

Last updated: June 2026