Security disclosure.
Found a security issue? Tell us and we'll act. The full security posture lives at /trust/security; this page is the disclosure path.
How to report
Email [email protected]. PGP fingerprint and a fresh key live at /.well-known/security.txt (RFC 9116).
What to include
- Reproduction steps (or PoC).
- Expected vs actual behaviour.
- Impact assessment in your own words.
- Your name (or pseudonym) for credit, if you want it.
Our response
- Acknowledgement within 24 hours.
- Triage within 3 business days.
- Fix for critical issues within 7 days; lower severity within 30 days.
- Public disclosure within 30 days of fix, coordinated with you.
Scope
In scope: *.assets.hoistai.com, the MCP server, the OpenAPI implementation, the dashboard, the SDKs.
Out of scope (please don't): denial-of-service attacks, social engineering of our staff, third-party services (Cloudflare, Stripe, Clerk — report to them).
Bounty
We pay A$50 – A$2,500 cash per valid report, depending on severity. No formal program yet; we negotiate per report. We'll cover the LaunchPad fee if you submit via a coordinated-disclosure platform.
Safe harbour
Good-faith research won't trigger legal action from us. We won't pursue prosecution for security testing conducted within scope and consistent with this policy.