Reporting vulnerabilities and our security posture.

Reporting a vulnerability

Email security@foundationmachines.ai. Encrypt sensitive details with our PGP key (forthcoming). Please include a clear description of the issue, steps to reproduce and any proof of concept code. Do not include real user data.

In scope

• ·All hosts under *.foundationmachines.ai.
• ·Our published npm packages under the @foundation scope.
• ·Our GitHub Apps and OAuth integrations.

Out of scope

• ·Denial of service, volumetric or rate-limit testing.
• ·Social engineering of staff, customers or contractors.
• ·Issues in third-party services we depend on. Report those upstream.
• ·Reports based solely on missing security headers without a demonstrable impact.

Response SLA

We aim to acknowledge reports within 72 hours and triage within five working days. Critical issues have a 90-day target fix window. We will keep you updated through the process.

Safe harbour

If you make a good-faith effort to comply with this policy during your security research we will not pursue legal action against you and will work with you to understand and resolve the issue quickly. Avoid privacy violations, destruction of data and interruption or degradation of our services. Only interact with accounts you own or have explicit permission to access.

Coordinated disclosure

We follow a 90-day coordinated disclosure timeline. After a fix has shipped, or 90 days from the date of the initial report (whichever comes first), we may publish details of the issue along with credit to the reporter unless you ask to remain anonymous.

Hall of fame

No reporters yet. Be the first.

Bug bounty

We are considering a paid bounty programme. In the meantime please reach out for high-impact reports and we will discuss recognition on a case-by-case basis.