Security & Vulnerability Disclosure

Effective: April 29, 2026

We welcome reports from independent security researchers. This page is the policy referenced from /.well-known/security.txt and is incorporated into our DPA Annex II as part of our incident-response programme.

Reporting a vulnerability

Email security@axolotlarmy.net with a clear description, reproduction steps, and (if possible) a proof of concept. Please do not include real user data; if a finding requires authenticated access, request a test account first.

For findings that contain customer data we ask that you encrypt the report. Public PGP key fingerprint: provided on request to security@axolotlarmy.net.

Scope

• portal.axolotlarmy.net and any subdomain we operate.
• REST and webhook endpoints exposed under /api/*.
• The marketing site at www.axolotlarmy.net.
• Public PWA service worker, manifest, and offline assets.

Out of scope

• Third-party services we depend on (Stripe, Vercel, Neon, Cloudflare, Google APIs, ElevenLabs, etc.) — report those to their respective programmes.
• Findings that require physical access, social engineering of our staff, or compromise of an end-user device.
• Reports generated solely by an automated scanner without manual validation, particularly findings from nuclei templates against unrelated cloud-provider banner output.
• Self-XSS, CSRF on logged-out endpoints with no security impact, and best-practice findings without a working exploit (e.g. missing security headers on static assets).
• Denial-of-service via volumetric attacks or rate-limit bypasses.

Safe harbour

We will not pursue legal action against researchers who act in good faith, do not access user data beyond what is necessary to demonstrate the vulnerability, do not degrade the Service, do not pivot to other customers' tenants, and give us a reasonable time to remediate before public disclosure. Researchers who follow this policy are authorised to access the Service for the limited purpose of testing.

Response targets

• Acknowledge receipt: within 3 business days.
• Triage decision (in scope / severity): within 7 business days.
• Fix or mitigation:
  • Critical: targeted patch within 7 days.
  • High: targeted patch within 30 days.
  • Medium / Low: included in next regular release.

Coordinated disclosure

We ask researchers to give us 90 days from triage before public disclosure, or 30 days for criticals where customers are exposed. We are happy to coordinate joint advisories, CVE assignment via MITRE, and credit in the Hall of Fame below.

Hall of fame

With your permission we will credit you here after the issue is resolved. We do not currently run a paid bounty programme; we may send swag, write a public thank-you, or both.

What we do internally

• Static + dynamic analysis on every PR.
• Dependency vulnerability scanning (npm audit, GitHub Dependabot, custom typosquat checks).
• Annual third-party penetration test (planned).
• Continuous monitoring (uptime, error tracking, security event logs).
• Encryption: TLS 1.2 or higher in transit; AES-256-GCM at rest for OAuth refresh tokens; bcrypt for passwords.
• Incident response runbook with 72-hour breach notification commitment.
• Annual security training for engineers; quarterly phishing simulation.

SOC 2

We are working toward SOC 2 Type II readiness with a target attestation in 2027. Enterprise customers can request an Attestation of Compliance (AoC) snapshot under NDA before the formal report is published.

Contact

Security: security@axolotlarmy.net