Vulnerability Disclosure Policy

 

Our Commitment to Security

At Axelera AI, we're pushing the boundaries of AI acceleration with our groundbreaking edge AI solutions. As we innovate rapidly, security remains a cornerstone of our development philosophy. We believe in building secure products from the ground up and welcome the collaboration of security researchers and our user community to help strengthen our security posture.

This Vulnerability Disclosure Policy outlines how you can report potential security vulnerabilities to us and how we'll address them. By working together, we can ensure that Axelera AI's products remain at the forefront of both performance and security.

Scope

This policy applies to security vulnerabilities discovered in:

  • Axelera AI hardware products (e.g., Metis AIPU based products)
  • Axelera AI software (e.g., Voyager SDK) and firmware
  • Axelera AI proprietary cloud services and APIs that are developed in-house and maintained by us
  • Axelera AI websites and web applications that we host and maintain

Out of Scope

The following are considered out of scope for this policy:

  • Automated vulnerability scanner outputs without manual verification or impact analysis
  • Reports indicating that our products don't fully align with "best practices" without demonstrating an actual security impact
  • Common configuration issues such as:
    • TLS configuration weaknesses (e.g., "weak" cipher suite support, TLS 1.0 support, Sweet32, BEAST, etc.)
    • Missing security headers which don't lead to exploitable vulnerabilities
    • Server information disclosure (e.g., server version in headers)
    • Publicly disclosed vulnerabilities in third-party components without demonstration of impact
  • Vulnerabilities requiring physical access to hardware (unless related to secure boot or similar security mechanisms)
  • Social engineering attacks against Axelera AI employees
  • Denial of Service attacks

How to Report a Vulnerability

If you believe you've found a security vulnerability in our products or services, we encourage you to notify us through the following process:

  1. Send an email to security@axelera.ai with the subject line "Security Vulnerability Report"
  2. Include in your report:
    • A detailed description of the vulnerability and the potential impact
    • The affected product or service and version number
    • Steps to reproduce the issue (with screenshots or videos where applicable)
    • Any proof-of-concept code or tools used to identify the vulnerability
    • Your name and contact information (if you wish to be credited)

Important: Please share security issues with us before disclosing them publicly on message boards, social media, mailing lists, or other forums. We take security seriously and appreciate the opportunity to address vulnerabilities before they become widely known.

What We Do With a Vulnerability Report

When we receive your report, our process is as follows:

  1. We will acknowledge receipt of your report within 10 business days
  2. Our technical team will analyze and confirm the reported vulnerability
  3. We will keep you informed about our progress in addressing the vulnerability
  4. Once the vulnerability is resolved, we may ask you to verify our fix
  5. With your permission, we may publicly acknowledge your contribution

Please note that we may not respond to every report, particularly those that fall outside the scope of this policy or those that don't represent actual security vulnerabilities.

Your Privacy

We value your privacy and will only use your personal details to act based on your report. We will not share your personal details with others without your express permission. If you wish to remain anonymous, you may submit your report without personal information.

Bug Bounty Programme

Axelera AI does not currently operate a bug bounty programme. While we greatly appreciate your contributions to our security, please note that vulnerability reports are accepted on a voluntary basis and are not eligible for financial rewards at this time.

We deeply value the contributions of security researchers and will gladly acknowledge your assistance (with your permission) in making our products more secure.

Legal Safe Harbor

We will not pursue legal action against individuals who submit security vulnerability reports in good faith and in accordance with this policy. This includes:

  • Copyright or intellectual property rights violations under EU Copyright Directive that were necessary to identify the vulnerability
  • Activities that might otherwise violate the EU Cybersecurity Act or NIS2 Directive that were necessary to identify the vulnerability
  • Similar EU and international laws that were necessary to identify the vulnerability

We ask that you adhere to the following essential guidelines when testing for vulnerabilities:

  • Do not cause harm: It is critically important that you make every effort to avoid privacy violations, destruction of data, disruption of services, or any other actions that could negatively impact our users, systems, or business operations
  • Respect boundaries: Only interact with accounts you personally own or have received explicit permission to test
  • Minimal testing only: Under no circumstances should you exploit vulnerabilities beyond the minimum amount necessary to prove a vulnerability exists
  • Stop if damage may occur: Immediately cease testing and report to us if you believe your testing might cause harm or unintended consequences
  • Follow the principle of least intrusion: Always choose the testing method that is least disruptive and invasive to systems and data

Thank You

At Axelera AI, we're building the future of edge AI acceleration. Your support in keeping our products secure is invaluable to our mission. Together, we can ensure that innovation and security go hand in hand.

This policy may be updated periodically. Last updated: March 19, 2025