Skip to content
FoundationMachines
Vulnerability disclosure

Found a security issue? Tell us.

We treat vulnerability reports as a gift. This page tells you exactly how to send them, what's in scope and how we'll respond.

Email security@ security.txt

How to report

Email security@foundationmachines.com. Include a clear description of the issue, reproduction steps and any proof-of-concept code. Do not include real user data. If you'd like to encrypt the report, ask for our PGP key first; we will reply with the public key and a key fingerprint over the same channel.

Do not open public GitHub issues for security-relevant bugs. We will keep credit and disclosure scheduling on your terms.

In scope

  • All hosts under *.foundationmachines.ai and *.foundationmachines.com.
  • The Sebastion AI GitHub App (github.com/apps/sebastionai) and any OAuth integrations we publish.
  • Our published packages under the @foundation npm scope.
  • The Sebastion AI gateway (api.foundationmachines.ai).

Out of scope

  • Denial of service, volumetric or rate-limit testing.
  • Social engineering of staff, customers or contractors.
  • Physical attacks on offices or data centres.
  • Issues in third-party services we depend on (Vercel, GitHub, Anthropic, OpenAI, Cloudflare). Report those upstream.
  • Reports based solely on missing security headers, version disclosure or rate limits without a demonstrable security impact.
  • Self-XSS, content spoofing and clickjacking on non-sensitive pages.

Response SLA

We aim to acknowledge reports within 72 hours and triage within five working days. Critical issues have a 90-day target fix window; high and medium issues have proportional timelines we'll communicate after triage.

Safe harbour

If you make a good-faith effort to comply with this policy during your security research, we will not pursue legal action against you and will work with you to understand and resolve the issue quickly. Please:

  • Avoid privacy violations, destruction of data and service degradation.
  • Only interact with accounts you own or for which you have explicit permission.
  • Stop testing as soon as you've demonstrated impact.

Coordinated disclosure

We follow a 90-day coordinated disclosure timeline. After a fix has shipped (or 90 days from the date of the initial report, whichever comes first) we may publish details of the issue along with credit to the reporter. If you'd prefer to remain anonymous or extend the embargo, tell us.

Hall of fame

No reporters yet. Be the first.

Bounties

We don't run a paid bounty programme yet. For high-impact reports we offer recognition, attribution, and (at our discretion) a thank-you payment. We'd rather spend that money on people who actually find real bugs than on a platform fee.

Related

  • /security: what we do to protect your data.
  • /trust: compliance posture and sub-processors.
  • /.well-known/security.txt: machine-readable contact for scanners.
We try to be the kind of vendor security researchers actually want to deal with.