Legal

Security disclosure.

Civitas Compliance is built by Myrmidon Industries, LLC. Security is treated as a first-order architectural concern, not a policy layer bolted on after the fact. Append-only ledgers, fail-closed audit, deterministic replayability, view/mutation separation, and closed-set actions are enforced in code across the platform.

Reporting a vulnerability

If you believe you have found a security vulnerability in this website, in the Civitas Compliance application, or in the CivicPath mobile application, write to security@civitascom.com.

Our machine-readable security contact is at /.well-known/security.txt (per RFC 9116).

What to include

A clear description of the vulnerability
Steps to reproduce, including any preconditions
The affected endpoint, page, or surface
Your name or handle if you'd like attribution; anonymous reports are also welcome

What we ask

Give us reasonable time to investigate and remediate before public disclosure
Do not access, modify, or destroy data belonging to others while testing
Do not run automated denial-of-service or stress tests against production systems

We will acknowledge valid reports promptly, provide remediation timelines, and credit the researcher (with consent) when the issue is resolved.