Security Policy
Effective May 28, 2026 · Last updated May 28, 2026
The short version. If you've found a security vulnerability in KeyVex, email contact@keyvex.com with reproduction steps and an impact assessment. We'll acknowledge receipt within 5 business days, investigate in good faith, and tell you what we found. We won't pursue legal action against good-faith researchers who follow this policy.
1. Reporting a vulnerability
Send security reports to contact@keyvex.com. To help us triage quickly, please include:
- A description of the vulnerability and the affected component or URL
- Step-by-step reproduction instructions (and a proof-of-concept where applicable)
- Your assessment of the potential impact
- Any relevant logs, request/response captures, or screenshots
This contact is also published in machine-readable form at /.well-known/security.txt per RFC 9116.
2. Scope
In scope:
mcp.keyvex.com— the MCP API endpointkeyvex.comandwww.keyvex.com— the marketing site- Other
*.keyvex.comhosts we operate
Out of scope:
- Third-party services KeyVex links to or sources data from (e.g., SEC EDGAR, USAspending.gov, OFAC, FEC, and the other government repositories) — report those to the respective operator
- Social engineering of KeyVex staff, contractors, or service providers
- Physical security and attacks requiring physical access
- Denial-of-service / volumetric attacks, and findings that only demonstrate the absence of a best-practice hardening control without a concrete exploit
3. What we commit to
- Acknowledge your report within 5 business days of receipt.
- Investigate in good faith with a reasonable standard of care.
- Communicate our disposition — whether we've confirmed the issue, what we intend to do, and when we expect to have addressed it.
These are good-faith operational commitments, not contractual service-level guarantees.
4. Safe harbor
We will not pursue legal action against security researchers who, in good faith:
- Report a vulnerability to us promptly via the channel above
- Do not access, modify, or retain data beyond the minimum necessary to demonstrate the issue
- Do not degrade, disrupt, or deny service to KeyVex or its users
- Give us a reasonable opportunity to investigate and remediate before any public disclosure
Activity conducted consistent with this policy is considered authorized, and we will not recommend or pursue legal action for it. If legal action is initiated by a third party against you for activity conducted under this policy, we will make this authorization known.
5. Out of scope by design
KeyVex publishes US public-record disclosure data that is already public by federal mandate. The MCP API is read-only — the endpoint runs under a dedicated service account with read-only database permissions, so a request to the API physically cannot modify our data. KeyVex does not operate a user-account system, does not issue API keys for the public endpoint, and does not maintain a store of proprietary or sensitive user data to exfiltrate. The security surface is intentionally narrow, and realistic findings will generally concern availability, configuration, or the integrity of the public-data pipeline rather than confidentiality of private user data.
6. Bug bounty
KeyVex does not currently operate a paid bug-bounty program. We genuinely appreciate responsible disclosure and will credit researchers who wish to be acknowledged.
This is the v1 of our security policy, established to provide a clear, working vulnerability-reporting mechanism. It does not commit KeyVex to monetary rewards or specific contractual response times, and its formal commitments are subject to legal review. This policy will be updated as our security program matures.