Incident Response
Documented, drilled, disclosed.
When you should contact us
- Suspected vulnerability in Studio
Email security@peerislands.com with reproduction steps. 48-hour acknowledgement SLA.
Disclosure policy - Active exploitation
Email security@peerislands.com with subject line "URGENT — active". Out-of-hours coverage applies.
- Compromised customer credential surfaced via Studio
Treat as credential rotation — rotate provider-side first, then notify us so we can examine for related issues.
Our process
- Detection
Sources: customer reports (security@), Aikido alerts (continuous), grype daily run, manual triage of upstream advisories.
- Classification
Severity assigned based on CVSS + exploitability + reachability in Studio's runtime. Scope assessment within 7 days.
- Customer notification
Customer-facing impact is communicated via direct email and the Trust Center's vulnerability rollup.
Vulnerability rollup - Remediation
Critical-severity target: 30 days. High: 60 days. Patches ship in the next release; emergency releases for criticals.
- Post-mortem
Internal blameless post-mortem for any customer-impacting incident. Aggregated learnings appear in the lessons-learned doc and inform pre-commit / release-gate updates.
Operational scope
- Studio binary
Vulnerabilities in the shipped Studio code or dependencies.
- Release infrastructure
GCS release hosting, GitHub release tap, Trust Center hosting.
- Marketplace / Hub
PeerAI-operated services for asset publishing and licensing.
- Out of scope (customer-side)
Customer endpoint, customer's chosen LLM provider, customer's databases — those follow the respective vendor's IR.