Airlock Security Advisories

Last modified: May 8th, 2026

As a vendor of a security software suite, we are dedicated to keeping our software secure. We welcome security researchers to reach out and report any potential vulnerabilities discovered in our products.
 

Scope

Subject to this vulnerability disclosure policy is the security suite “Airlock Secure Access Hub” including the components

• Airlock SaaS
• Airlock Identity and Access Management (IAM)
• Airlock Gateway
• Airlock Microgateway 

deployed as self-contained application or in containerized form.
 

Vulnerability definition

We consider a vulnerability any issue with a demonstrable negative security impact on a supported component within our scope — typically allowing an attacker violate confidentiality, integrity, or availability, or to bypass a documented security control. Theoretical weaknesses without demonstrable impact, missing defense-in-depth hardening, issues depending on configurations we explicitly discourage, and vulnerabilities in third-party components where Airlock is not the upstream maintainer are evaluated case by case and may be addressed without a CVE. End-of-life versions generally receive a CVE only when the same issue also affects a supported version.
 

Reporting a vulnerability

Reports are accepted via email at security@airlock.com. We encourage you to encrypt your submission using our PGP public key. 

Please provide a detailed technical explanation of the required steps to reproduce the issue, including descriptions of any tools used for identification or exploitation. Please attach screenshots and other supporting documents. We favor reports that include proof-of-concept code demonstrating how the vulnerability can be exploited. If your submission contains exploit code or scripts, please include them in a non-executable file format.

When reporting a vulnerability, you may include contact information and preferred communication details. We may reach out to clarify elements of your report or request additional technical details.

By submitting a report to Airlock, you confirm that neither the report nor its attachments infringe on any third-party intellectual property rights. You also grant Airlock a non-exclusive, royalty-free, worldwide, perpetual license to use, reproduce, create derivative works from, and publish the report and its attachments.

Disclosure

Airlock is committed to promptly addressing vulnerabilities that could impact our customers. We will acknowledge compliant reports within five (5) business days. We will triage the report and tell you whether we have validated it, need more information, or do not consider it in scope (with reasoning). For confirmed in-scope vulnerabilities, Airlock reserves a CVE ID and shares it with you as a common reference, agrees a coordinated disclosure date with you (normally aligned with the release of a fix), and publishes the CVE record at or shortly after the corresponding advisory appears on this page.

Credit in the advisory and CVE record is offered by default.

CVE ID assignment is decided independently of bounty eligibility in any bug bounty program — a report may qualify for a CVE without qualifying for a bounty, and vice versa.

To protect users, please do not publish information about the submitted vulnerability until we have explicitly agreed to its disclosure.

If you act in good faith and in compliance with this policy, Airlock will collaborate with you to resolve the issue and will not pursue legal action related to your research.

Further information

Questions regarding this policy or the process of reporting a vulnerability may be sent to security@airlock.com.