← Back to The Freedom Project

Security Policy

Last updated: May 16, 2026

Scope

This policy applies to all properties owned and operated by The Freedom Project, LLC, including:

  • www.freedomproject.ai — corporate site
  • aim.freedomproject.ai — AIM (Architectural Insight for Modernization)
  • arc.freedomproject.ai — ARC (Accelerated Reach & Credibility)
  • bids.freedomproject.ai — BIDS (Business Intelligence and Discovery System)
  • Any other subdomain of freedomproject.ai operated by The Freedom Project

Reporting a Vulnerability

If you discover a security vulnerability, please report it privately to:

[email protected]

Please do not open a public GitHub issue, post to social media, or otherwise publicly disclose the vulnerability before we have remediated it.

In your report, please include:

  • The affected URL, endpoint, or component
  • Clear steps to reproduce the issue
  • The potential impact (data exposure, privilege escalation, etc.)
  • Any proof-of-concept code, screenshots, or logs (please avoid attaching real user data)
  • Your contact information and preferred name for acknowledgment, if you want credit

Our Commitment

  • We will acknowledge receipt of your report within 72 hours.
  • We will keep you informed of our progress as we investigate and remediate.
  • We will not pursue legal action against researchers who act in good faith and follow this policy.
  • With your permission, we will credit you publicly after a fix is released.

Rules of Engagement

To act in good faith under this policy, please do not:

  • Perform denial-of-service (DoS / DDoS) testing of any kind
  • Perform automated scanning that generates significant load on our systems
  • Access, modify, or download data that is not your own
  • Use social engineering against our team, customers, or vendors
  • Test physical security of our premises or those of our partners
  • Publicly disclose the vulnerability before we have released a fix and agreed on a disclosure date

Out of Scope

The following are generally not considered security vulnerabilities:

  • Missing security headers without a demonstrated exploit
  • Self-XSS or issues that require an unrealistic level of user interaction
  • Best-practice recommendations without a concrete impact (e.g. SPF / DKIM / DMARC tightening)
  • Rate-limiting or brute-force findings against public marketing pages
  • Issues in third-party services we use (please report those to the vendor directly)

If you're unsure whether something is in scope, email us — we'd rather hear it and decline politely than miss something real.

Coordinated Disclosure

We follow coordinated-disclosure practices. We will work with you to agree on a public disclosure date once a fix is released, typically within 90 days of the initial report.

Machine-Readable Policy

A machine-readable version of this policy (per RFC 9116) is published at:

/.well-known/security.txt