Imperial Eminence Cyberguard Corporation · The Ivory Index

Vulnerability Disclosure Policy

Tier V — Security Program · Ref: IECC-T5-003 · Version 1.0 · Effective 14 June 2026

Article I — Purpose & Commitment

Imperial Eminence Cyberguard Corporation ("IECC") operates this Vulnerability Disclosure Policy ("VDP") to encourage responsible disclosure of security vulnerabilities in The Ivory Index Software and IECC systems. IECC is committed to working with security researchers in good faith to identify and resolve vulnerabilities promptly.

Article II — Scope

In Scope

• The Ivory Index desktop application (all supported versions)
• The Ivory Index website and web-based services (aoarose.com / imperialecc.com)
• IECC's publicly accessible APIs and endpoints
• The Ollama integration layer within The Ivory Index (not Ollama itself)

Out of Scope

• Third-party services used by IECC (Ollama, Meta's model weights, cloud providers) — report these to the respective vendors
• Vulnerabilities in AI model outputs (hallucinations, biased outputs) — these are addressed through the AI Liability Framework
• Denial-of-service attacks against IECC infrastructure
• Social engineering of IECC personnel
• Physical security attacks
• Vulnerabilities requiring physical access to the User's device

Article III — Rules of Engagement

To qualify for safe harbour under this Policy, researchers must:

• Report vulnerabilities to legal@imperialecc.com before public disclosure
• Provide sufficient detail to reproduce the vulnerability (steps to reproduce, proof-of-concept, affected versions)
• Allow IECC a reasonable remediation period before public disclosure (see Article IV)
• Not access, modify, exfiltrate, or destroy data belonging to other users
• Not disrupt IECC services or degrade performance for other users
• Not use automated scanning tools against IECC infrastructure without prior written authorisation
• Not disclose vulnerability details to third parties without IECC's prior written consent
• Conduct research only on systems they own or have explicit permission to test

Article IV — Response Timelines

Article V — Recognition

IECC recognises the contributions of security researchers who responsibly disclose vulnerabilities. With the researcher's consent, IECC will: (i) publicly credit the researcher in the relevant security advisory or release notes; and (ii) maintain a Hall of Acknowledgement on the IECC website (upon launch). IECC does not currently operate a bug bounty programme with monetary rewards; this may be introduced in future.

Article VI — What We Will Not Do

• Pursue legal action against researchers acting in good faith within this Policy's scope
• Report researchers to law enforcement for good-faith research
• Retaliate against researchers for responsible disclosure
• Disclose a researcher's identity without their consent

Article VII — Reporting Channel

All vulnerability reports must be submitted to: legal@imperialecc.com. Use subject line: [VDP] Vulnerability Report — [Brief Description]. PGP encryption is available upon request for sensitive findings. Do not submit vulnerability reports via public issue trackers, social media, or third-party platforms.

Drafted with the assistance of

Voidlex

Imperial Legal Intelligence · IECC Suite · v2.6

This document was prepared with the assistance of Voidlex, a legal document drafting tool developed by Imperial Eminence Cyberguard Corporation (IECC). Voidlex is a drafting aid only. It does not constitute legal advice, does not practice law, and does not guarantee the legal enforceability of this document in any jurisdiction. Users are strongly encouraged to seek independent legal counsel before relying on this document for commercial, regulatory, or enforcement purposes.

Governing Law — All Disputes Cayman Islands · Grand Court of the Cayman Islands

IECC Registered Operations Planned Cayman Islands registration · pre-incorporation stage

Drafting System Voidlex v2.6 · Imperial Eminence Cyberguard Corporation

TRIBUNEH · IECC Legal Division