Security Policy

Last updated: 3rd of June 2026

1. Our commitment

Security and privacy are central to what we do at After Technologies AS. We welcome good-faith security research and value the work of the community in keeping our products and users safe. This policy explains how to report a vulnerability and what to expect in return.

2. Scope

This policy covers vulnerabilities in the software and hardware we produce — this website, our applications and APIs, and our physical devices. If you are unsure whether something is in scope, ask us.

Out of scope:

• Prototype, pre-production, and other unreleased hardware.
• Third-party services we use but do not control.
• Denial-of-service (DoS/DDoS) and other disruptive testing.
• Social engineering, phishing, and physical attacks.
• Automated scanner output without a demonstrated, exploitable impact.

3. How to report

Send your report to security@after.tech, in English or Norwegian. To help us triage quickly, please include:

• A clear description of the issue and the product, version, or URL affected.
• Step-by-step instructions to reproduce it.
• The impact, plus any proof-of-concept code, screenshots, or logs.

4. What you can expect from us

• We will acknowledge your report within five business days.
• We will keep you updated as we investigate and work towards a fix.
• We will resolve confirmed issues as quickly as their severity warrants.
• With your permission, we will credit you once the issue is resolved.

5. Guidelines for researchers

When investigating, we ask that you:

• Give us a reasonable chance to fix an issue before disclosing it publicly. We aim for 90 days and will gladly coordinate timing with you.
• Avoid privacy violations, data destruction, and any disruption to our services.
• Only test accounts you own or have permission to use, and access the minimum data needed to demonstrate an issue.
• Do not access, modify, or delete data belonging to others. If you come across such data, report it and then delete your copy.
• Comply with all applicable laws.

6. Safe harbour

We will not pursue or support legal action against researchers who act in good faith and follow this policy; we consider such research authorised. If a third party brings legal action against you for activities carried out under this policy, we will make this authorisation known.

7. Contact

Security reports: security@after.tech
For anything else, see our Privacy Policy or contact After Technologies AS at hello@after.tech.