Responsible Disclosure Policy — Narrative Consulting

✉

Report a vulnerability

Send vulnerability reports to security@accessnarrative.com
We acknowledge all reports within 48 hours. PGP encryption available on request.

Scope

This policy applies to security vulnerabilities discovered in Narrative Consulting's public-facing properties and the Access Narrative platform. We welcome good-faith security research and are committed to working collaboratively with researchers who identify vulnerabilities.

In scope:

accessnarrative.com and all subdomains
narrativeconsulting.com (when live) and subdomains
Access Narrative application (app.accessnarrative.com)
Any APIs or services exposed under the above domains

This policy does not cover vulnerabilities found in client systems during engagements — those are handled directly with the affected client per our engagement security controls.

Reporting

To report a vulnerability, email security@accessnarrative.com with the following information:

A clear description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Screenshots, proof-of-concept code, or other supporting evidence
Any systems or data you believe may have been affected
Your preferred contact method and whether you'd like to be credited publicly

If you're concerned about the sensitivity of the information, request our PGP public key before sending. We will provide it within one business day.

Please do not submit vulnerability reports through GitHub issues, public forums, or social media. Reports sent to non-security email addresses will be forwarded to security@accessnarrative.com.

Our Commitment

When you report a vulnerability to us in good faith, we commit to the following:

Acknowledgment

We will acknowledge your report within 48 hours of receipt.

Updates

We will keep you informed of our investigation progress at least every 7 days.

Resolution

We will work to resolve confirmed vulnerabilities as quickly as possible, prioritizing by severity.

Credit

We will publicly credit researchers who responsibly disclose vulnerabilities, if they wish to be recognized.

Transparency

We will notify you when the vulnerability is resolved and share details of the fix if appropriate.

No Retaliation

We will not take legal action against researchers who comply with this policy.

Safe Harbor

Narrative Consulting supports responsible security research. We consider good-faith security research conducted in compliance with this policy to be:

Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
Exempt from DMCA claims related to circumvention of access controls to the extent necessary for legitimate research
Lawful and compliant with our terms of service for the purposes of the research

This safe harbor applies when: (1) research is conducted in good faith; (2) you do not disrupt our services or access systems beyond what is necessary to demonstrate the vulnerability; (3) you do not access, modify, or delete data belonging to our users or clients; (4) you report findings to us before public disclosure and allow reasonable time for remediation.

We do not authorize testing against our clients' systems or data under any circumstances.

Out of Scope

The following types of reports fall outside the scope of this policy and will not be acted upon:

Denial of service (DoS/DDoS) attacks or any testing that degrades service availability
Spam or social engineering attacks against our team or clients
Physical attacks against our offices or personnel
Vulnerabilities in third-party services or platforms we use but do not control
Reports generated by automated scanning tools without manual validation
Issues that require physical access to a device
Clickjacking on pages with no sensitive actions
Missing security headers that do not lead to demonstrable exploitability
Rate limiting on non-sensitive endpoints
Self-XSS and browser-specific issues that cannot be triggered externally