Home Security

Security & disclosure.

We build maritime cyber defence for a living — so we hold our own platform and website to the same standard. If you believe you have found a security vulnerability, we want to hear from you, and we commit to working with you in good faith.

Last updated: 27 April 2026 · Version 1.0

Contents

  1. Reporting a vulnerability
  2. Scope
  3. Safe harbour
  4. Researcher guidelines
  5. What to expect from us
  6. Out of scope
  7. Product security posture
  8. Contact

1. Reporting a vulnerability

Email security@navisarca.com with enough detail for us to reproduce the issue: affected asset or URL, a description of the vulnerability, reproduction steps, and any proof-of-concept. If you wish to encrypt your report, ask us for a PGP key and we will provide one. Our machine-readable contact details are published at /.well-known/security.txt per RFC 9116.

Please report promptly after discovery, give us a reasonable opportunity to remediate before any public disclosure, and avoid privacy violations, data destruction, or service degradation while testing.

2. Scope

The following are in scope for coordinated disclosure:

  • The Navis Arca website (navisarca.com and its subdomains).
  • The Navis Arca operator console and multi-tenant cloud control plane.
  • The Navis Arca vessel agent and its update mechanism.

If you are unsure whether a target is in scope, ask us first at security@navisarca.com.

3. Safe harbour

We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. We consider security research conducted under this policy to be authorised, lawful, and helpful. If a third party initiates legal action against you for activity conducted in line with this policy, we will make it known that your actions were authorised.

4. Researcher guidelines

  • Only interact with accounts you own or have explicit permission to test.
  • Do not access, modify, or delete data that is not yours.
  • Do not run automated scanners at a volume that degrades service for others.
  • Do not use social engineering, physical attacks, or denial-of-service techniques.
  • Keep the details of any vulnerability confidential until we have remediated and agreed on disclosure timing.

5. What to expect from us

  • Acknowledgement of your report within 3 business days.
  • A triage assessment and severity rating within 10 business days.
  • Regular updates on remediation progress for valid reports.
  • Public credit for your discovery, if you would like it, once the issue is resolved.

We do not currently operate a paid bug-bounty programme. We are grateful for, and will acknowledge, every good-faith disclosure.

6. Out of scope

The following findings are generally not eligible and are unlikely to be actioned on their own:

  • Reports from automated scanners without a demonstrated, exploitable impact.
  • Missing security headers or cookie flags with no demonstrated exploit.
  • Clickjacking on pages with no sensitive state-changing action.
  • Rate-limiting, brute-force, or denial-of-service findings.
  • Social engineering of our staff, customers, or suppliers.
  • Vulnerabilities in third-party services we do not control.

7. Product security posture

A short summary of how Navis Arca is built and operated. Detailed documentation is available to customers and prospects under NDA on request to security@navisarca.com.

  • Parent ISMS. Navis Arca is built and operated by Necurity Solutions, which maintains an independently audited ISO/IEC 27001-certified information security management system.
  • Encryption in transit. All traffic between the vessel agent, the operator console, and the cloud control plane is encrypted with TLS.
  • Access control. Operator access to tenants requires multi-factor authentication and is governed by role-based access control with a queryable, tamper-evident audit log.
  • Tenancy & residency. The cloud control plane is multi-tenant and region-pinned, so customer data stays in the region you choose.
  • Least-privilege support. Any Navis Arca / Necurity access to a customer tenant is time-limited, audited, and initiated by the customer from the console.

8. Contact

Security reports: security@navisarca.com
General enquiries: sales@navisarca.com · contact form
Operated by Necurity Solutions Network Security Private Limited, Chennai, India.