Physis Defense LLC operates defense and research infrastructure. We take security seriously and welcome responsible disclosure from the security research community.
1. Our Commitment
We are committed to protecting our users, their data, and our systems. Security researchers who identify and responsibly report vulnerabilities provide a valuable service. We commit to:
- Acknowledging your report promptly
- Investigating all credible vulnerability reports in good faith
- Keeping you informed as we work to address the issue
- Not pursuing legal action against researchers who follow this policy
2. How to Report
To report a security vulnerability, email us at:
hello@physisdefense.com
Subject line: Security Disclosure
Please include the following in your report:
- A description of the vulnerability and its potential impact
- The affected product, system, or URL
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept code, screenshots, or logs (where appropriate)
- Your name or handle, if you'd like credit
Please submit reports in English. Encrypted submissions are welcome — contact us for our PGP key.
3. Response Timeline
- Within 48 hours — We will acknowledge receipt of your report
- Within 14 days — We will complete an initial investigation and update you on our findings
- Remediation — Timeline varies by severity; we will keep you informed of progress
- Disclosure — We will coordinate public disclosure with you after remediation
4. Safe Harbor
Physis Defense LLC will not initiate legal action against security researchers who:
- Discover and report vulnerabilities in good faith under this policy
- Do not access, modify, or delete user data beyond what is necessary to demonstrate the vulnerability
- Do not disrupt or degrade service to other users
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it
- Act in compliance with all applicable laws
This safe harbor does not apply to malicious actors who exploit vulnerabilities for unauthorized access, theft, or disruption.
5. Scope
In scope:
- dashboard.inventimatrix.com and all subdomains
- The LUMINA Private App (/lumina routes)
- The Inventi Matrix API (api.physisdefense.com)
- Authentication and authorization systems
- Data exposure vulnerabilities
- LUMINA AI prompt injection and jailbreak vulnerabilities
Out of scope:
- Social engineering attacks against our staff or users
- Physical access attacks
- Third-party services (Stripe, Vercel, Cloudflare) — report those to the respective vendors
- Denial of service attacks
- Spam or phishing not involving platform vulnerabilities
- Theoretical vulnerabilities without proof of concept
6. Bug Bounty
Physis Defense LLC does not currently operate a bug bounty program with monetary rewards. We appreciate the security research community's contributions and will recognize reporters in our security acknowledgments (with permission). We may introduce a formal bounty program in the future.
7. Credit & Recognition
We are happy to publicly credit security researchers who responsibly disclose vulnerabilities, with their permission. If you would like to be credited by name or handle in our security acknowledgments, please let us know in your report.
8. What Not To Do
When testing for vulnerabilities, please do not:
- Access, download, or modify user data that does not belong to you
- Disrupt or degrade the service for other users
- Destroy or corrupt data
- Conduct automated scanning at a rate that impacts service performance
- Extort Physis Defense LLC
- Publicly disclose vulnerability details before coordinating with us