Vulnerability Disclosure Policy
Last updated: July 3, 2026
Introduction
Onpilot welcomes reports from security researchers who help keep our platform and our customers' data safe. This policy explains how to report a vulnerability, what is in scope, and what you can expect from us. It complements our security.txt and Security page.
How to Report
Email security@onpilot.ai with:
- A clear description of the vulnerability and its potential impact.
- Step-by-step reproduction details, including affected URLs or endpoints.
- Any proof-of-concept, screenshots, or logs that help us reproduce it.
Please report promptly and give us a reasonable time to remediate before any public disclosure (see below). Do not access, modify, or delete data belonging to other users, and access no more data than necessary to demonstrate the issue.
Scope
In scope
Vulnerabilities in Onpilot-controlled assets — our production application, APIs, and marketing website.
Out of scope
- Findings on customer-owned tenants, integrations, or content that do not stem from a vulnerability in the Onpilot platform.
- Missing security headers, weak ciphers, or version disclosure without a demonstrated, exploitable impact (welcome as best-practice notes, but not qualifying vulnerabilities).
- Volumetric denial-of-service, spam, or social-engineering attacks.
- Vulnerabilities in third-party libraries we have not had a reasonable opportunity to patch.
Safe Harbor
We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. To preserve safe harbor, follow this policy, avoid out-of-scope activity, avoid privacy violations and service disruption, and access no more data, accounts, or systems than necessary to demonstrate the issue.
Our Response
| Stage | Commitment |
|---|---|
| Acknowledge receipt | Within 72 hours of your report |
| Triage & initial assessment | Within 7 calendar days of acknowledgement |
| Status updates | At least every 14 calendar days while the report is worked |
| Remediation target | Critical: 7 days · High: 30 days · Medium: 90 days · Low: 180 days, from confirmation |
If a finding affects personal data, we follow our incident-response process, including notifying affected customers as required.
Coordinated Disclosure
Please wait until the vulnerability is fixed, or until 90 calendar days have passed since our initial acknowledgement (whichever comes first), before disclosing the finding publicly. We are happy to coordinate timing and credit with you.
Recognition
Onpilot does not currently operate a monetary bug-bounty program. With your permission, we are glad to publicly acknowledge researchers who responsibly report valid vulnerabilities. Contact security@onpilot.ai with any questions about this policy.
© 2026 Onpilot AI. All rights reserved.