Vulnerability Disclosure Policy

Last updated: July 3, 2026

Introduction

Onpilot welcomes reports from security researchers who help keep our platform and our customers' data safe. This policy explains how to report a vulnerability, what is in scope, and what you can expect from us. It complements our security.txt and Security page.

How to Report

Email security@onpilot.ai with:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step reproduction details, including affected URLs or endpoints.
  • Any proof-of-concept, screenshots, or logs that help us reproduce it.

Please report promptly and give us a reasonable time to remediate before any public disclosure (see below). Do not access, modify, or delete data belonging to other users, and access no more data than necessary to demonstrate the issue.

Scope

In scope

Vulnerabilities in Onpilot-controlled assets — our production application, APIs, and marketing website.

Out of scope

  • Findings on customer-owned tenants, integrations, or content that do not stem from a vulnerability in the Onpilot platform.
  • Missing security headers, weak ciphers, or version disclosure without a demonstrated, exploitable impact (welcome as best-practice notes, but not qualifying vulnerabilities).
  • Volumetric denial-of-service, spam, or social-engineering attacks.
  • Vulnerabilities in third-party libraries we have not had a reasonable opportunity to patch.

Safe Harbor

We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. To preserve safe harbor, follow this policy, avoid out-of-scope activity, avoid privacy violations and service disruption, and access no more data, accounts, or systems than necessary to demonstrate the issue.

Our Response

StageCommitment
Acknowledge receiptWithin 72 hours of your report
Triage & initial assessmentWithin 7 calendar days of acknowledgement
Status updatesAt least every 14 calendar days while the report is worked
Remediation targetCritical: 7 days · High: 30 days · Medium: 90 days · Low: 180 days, from confirmation

If a finding affects personal data, we follow our incident-response process, including notifying affected customers as required.

Coordinated Disclosure

Please wait until the vulnerability is fixed, or until 90 calendar days have passed since our initial acknowledgement (whichever comes first), before disclosing the finding publicly. We are happy to coordinate timing and credit with you.

Recognition

Onpilot does not currently operate a monetary bug-bounty program. With your permission, we are glad to publicly acknowledge researchers who responsibly report valid vulnerabilities. Contact security@onpilot.ai with any questions about this policy.

© 2026 Onpilot AI. All rights reserved.