Legal · Security

Responsible
Disclosure.

We build a platform that finds other people's vulnerabilities. The fastest way to embarrass us is to find one in ours. If you do, here is exactly what to send, who reads it, and what you get back.

Safe harbor activeHackerOne · private programsecurity.txt: cybret.ai/.well-known/security.txt
Scope

What counts,
and what does not.

In scope
  • *.cybret.ai (production marketing site)
  • app.cybret.ai (customer platform)
  • api.cybret.ai (public and authenticated APIs)
  • CYBRET platform integrations (GitHub, GitLab, cloud connectors)
  • Desktop and CLI clients distributed by CYBRET
  • Mobile companion app (iOS, Android)
  • Supply chain of the above: signed artifacts, release pipelines
Out of scope
  • Denial-of-service, volumetric, or resource-exhaustion attacks
  • Social engineering of CYBRET staff, customers, or vendors
  • Physical attacks on offices, data centers, or personnel
  • Missing security headers on static marketing pages absent a demonstrated impact
  • Self-XSS, clickjacking on unauthenticated marketing pages
  • Content or email spoofing issues without a working exploit (e.g. SPF notes)
  • Vulnerabilities in third-party services we integrate with — please report directly to the vendor
  • Reports produced solely by automated scanners with no manual validation
Safe harbor

Research in good faith,
and we have your back.

If you make a good-faith effort to comply with this policy, we will consider your research authorised under this policy and the US Computer Fraud and Abuse Act, the UK Computer Misuse Act, and equivalent laws elsewhere, and we will not pursue or support legal action against you for the research covered by it.

Rules of engagement
  • 01Test only accounts you own, or test accounts you are explicitly authorised to use.
  • 02Do not access, modify, or destroy data belonging to other users. If you encounter any, stop and report.
  • 03Do not run scans that would impact availability (rate-limit yourself to 10 req/s).
  • 04Do not exfiltrate more data than is necessary to demonstrate the finding.
  • 05Give us a reasonable time to remediate — the default is 90 days — before public disclosure.
  • 06Tell us if you believe the finding is being actively exploited.
Our SLA to you

What we commit to
on every valid report.

Stage
Target
Notes
Acknowledgement
Within 1 business day
Human, from security@cybret.ai
Triage
Within 3 business days
Severity and scope confirmed
Remediation · Critical
Within 7 days
Mitigation may be pushed sooner
Remediation · High
Within 30 days
Remediation · Medium
Within 60 days
Remediation · Low
Within 90 days
Public disclosure
Coordinated with you
Default 90 days after fix is live
Rewards

We pay,
not just thank.

Bounties are paid via HackerOne. Reports received outside the HackerOne program are still eligible if accepted. We pay on severity, impact, and quality of the report — not on theoretical CVSS.

Critical
$5,000 – $25,000
High
$1,500 – $5,000
Medium
$300 – $1,500
Low
$100 – $300
Swag only
Hall of fame + CYBRET merch
How to report

Send to security@cybret.ai.

Plaintext to security@cybret.ai is fine for now (PGP support is on the Q3 2026 roadmap). Include the following — every missing field adds a day to triage.

Title:        <one-line summary>
Severity:     <your estimate: Critical / High / Medium / Low>
Affected:     <domain, endpoint, client, or artifact>
Summary:      <2-3 sentences, what it is, why it matters>
Reproduction:
  1. ...
  2. ...
  3. ...
Impact:       <what an attacker could do in practice>
Mitigation:   <optional — what you would change>
Disclosure:   <your preferred timeline and channel>
Handle:       <how you would like to be credited, or anonymous>
Contact:      <email, keybase, or HackerOne handle>

We maintain a Hall of Fame for researchers who have responsibly disclosed issues to us. With your permission, we will include your name.