Coordinated vulnerability disclosure.

Reporting a sensitive vulnerability

For any of the following classes, do not open a public issue:

• Authentication or authorisation bypass.
• Customer-data exposure or cross-tenant leakage.
• Remote code execution.
• Supply-chain compromise (signed-artefact integrity, CI / CD).
• Cryptographic weakness in our protocols.
• Adversarial or model-evasion findings against deployed models that affect production.
• Any vulnerability in autonomous-decision pipelines.

The founders read security@ directly. Rotation to a dedicated security team is announced in the changelog. The PGP key fingerprint is published below.

Email: [email protected]
PGP key: /.well-known/pgp-key.asc

Our commitments to disclosers

• Acknowledgement within 24 hours of receipt.
• Initial scoping within 5 business days.
• Remediation timeline communicated within 10 business days.
• Coordinated disclosure timed to fix-deployment-readiness.
• Safe harbour: no legal pursuit of good-faith research; no NDA required for disclosure.