Summit Estate Management · Live demo environment · Data resets daily 
# Security policy

The Cornerstone Estate Management Platform is built and maintained by Oakwright (Connor Nelson, connor@oakwright.co). This document covers how to report security issues.

## Reporting a vulnerability

Please email **security@oakwright.co**. Include:

1. A clear description of the issue
2. Steps to reproduce, or proof-of-concept code
3. The affected URL, parameter, or component
4. Any impact you observed (data exposure, privilege escalation, etc.)
5. Your name or handle for credit, if you want it

Encrypt with PGP if you prefer; the public key is published at https://oakwright.co/.well-known/pgp-key.txt (coming soon). Plain email is fine in the meantime.

## What you can expect

- **Acknowledgment within 1 business day.** A real person reads the inbox.
- **Initial triage within 5 business days.** We confirm whether the issue is in scope and reproduce it.
- **Fix timeline depends on severity:**
  - Critical (auth bypass, RCE, data exfiltration): patched within 7 days, often same-day.
  - High (privilege escalation, sensitive data leak): patched within 14 days.
  - Medium / Low: scheduled into the normal release cadence; you will get a status update.
- **Public disclosure coordination.** We will not publicly disclose details until a fix is deployed. If you want credit, we will note your contribution in release notes after the fix ships.

## In scope

Anything served from `https://demo.oakwright.co` and any related Cornerstone-branded subdomain.

In particular: authentication, authorization, session handling, file upload, CSRF, XSS, SQL injection, IDOR, audit log integrity, MFA flows, the feedback widget end-to-end, and the `/api/feedback` HMAC forwarding contract.

## Out of scope

- Denial of service via volumetric attack
- Social engineering of staff or owners
- Physical attacks on infrastructure
- Vulnerabilities in third-party dependencies that we have not yet shipped a fix for upstream (please report those upstream first)
- Self-XSS or anything that requires the victim to perform unusual local actions
- Issues that require a compromised, expired, or jailbroken device
- Findings from automated scans that do not include a working proof of concept

## Safe harbor

If you make a good-faith effort to follow this policy, we will:

- Not pursue or support legal action against you for your research
- Work with you to understand and resolve the issue
- Treat your report as confidential while we investigate

Good-faith research means: you stop and report the moment you confirm a vulnerability, you do not access or modify data that does not belong to you, you do not degrade service availability, and you do not use the issue to harm anyone.

## No bug bounty for v1

There is no monetary bounty program at this time. Credit in release notes is the only reward on offer right now. We will revisit this once the platform graduates from demo to production.

---

Last reviewed: 2026-05-18
Notification