Latica Responsible Vulnerability Disclosure Statement

August 18, 2025

At Latica, we proactively monitor our products after they are put into service and respond, as appropriate, when we learn of vulnerabilities either internally or from sources outside of Latica.

How to Report a Potential Product Security Vulnerability

Latica has developed a process to receive potential product security vulnerabilities from external sources, validate their existence, and determine the best response to improve product security and safety. Please e-mail potential product security vulnerabilities to the Security team at [email protected]  

1. Do not submit any data that contains individually identifiable health information (IIHI/PHI) or personally identifiable information (PII).
2. Provide detailed information to contact you. Alternatively, you may submit your report anonymously if you wish.
3. Please notify us as soon as possible after discovering a real or potential security issue.
4. Provide clear descriptions of the potential product security vulnerability you have identified and the methods used to exploit it. Describe the location where the vulnerability was discovered and the potential impact of exploitation.

5. Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
6. Provide proof-of‐exploit code, if available, and/or screenshots showing the exploitation.
7. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
8. Information submitted under this policy will be used for defensive purposes only — to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Latica, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
9. Please include any plans or intentions for public disclosure, as well as whether you have already communicated with a vulnerability coordinator (e.g., US-CERT, H-ISAC, ISAO, or others) and provided their tracking number for this potential vulnerability, if one was assigned.
10. Provide a reasonable amount of time to resolve the issue before you disclose it publicly.
11. Do not submit a high volume of low-quality reports.

What you can expect from Latica

• We will acknowledge receipt of your report within five business days.
• We will confirm the existence of the vulnerability to the best of our ability and be as transparent as possible.
• We will maintain an open dialogue to discuss any issues that may arise.
• We will not share your name or contact information without your permission unless legally required to do so.
• While we appreciate vulnerability reporting for the Latica website (https://www.latica.ai), it is outside the scope of any bug bounty program.