OOretz Factory← Security
Responsible disclosure

Found a vulnerability?

We treat security researchers as partners. If you’ve found a vulnerability, tell us and we’ll fix it — fast. No legal threats. No NDAs to read first.

How to report
[email protected]

We’ll acknowledge within 24 hours (usually under 2). For high-severity findings, drop the words URGENT in the subject line — we have pager rotation for those.

security.txt: /.well-known/security.txt

What we want to hear about

  • Authentication / authorization bypasses. Including tenant isolation bugs (any way one tenant’s data leaks to another).
  • Injection: SQL, command, prompt.Prompt injection that exfiltrates other tenants’ prompts or coerces the orchestrator to act on behalf of a different user.
  • Bridge node compromise.Any way to break out of the per-job workspace, escalate on the bridge, or affect other tenants’ builds.
  • Artifact tampering. Modifying a generated artifact, its SHA-256 hash, or the proof pack after the build completes.
  • Sensitive data exposure. API keys, customer prompts, or signed artifact URLs leaking through logs, error messages, or insecure routes.
  • Account takeover paths. Including via password reset, email verification, or the public demo flow.

Out of scope

We’ll still acknowledge these reports politely, but they generally won’t qualify for the hall-of-thanks.

  • ·Missing security headers without a demonstrable impact.
  • ·Rate-limit findings that don’t materially bypass our quotas.
  • ·Self-XSS, social-engineering attacks, or anything requiring physical access.
  • ·Email spoofing without a way to reach inboxes (SPF / DMARC pass).
  • ·Vulnerabilities in our subprocessors (Supabase, Anthropic, OpenAI, AWS, Cloudflare) — report directly to them.

Ground rules

  1. 1.Don’t exfiltrate.If you can demonstrate access to data that isn’t yours, you’ve made your point. Don’t download it.
  2. 2.Don’t disrupt. No DoS, no spam, no automated large-scale scanning. Manual + careful is what we want.
  3. 3.Give us 90 days to fix before going public.90 days is the default; we can negotiate longer for hard-to-fix issues. We won’t use the legal system to silence valid findings.
  4. 4.Use a test account, not a real customer’s. Sign up at /factory/signup for free.

What we owe you back

  • Acknowledgement within 24 hours (usually under 2).
  • A real human response — not a ticket auto-reply. We’ll explain whether we’re going to fix it, when, and how we triaged severity.
  • A line on our public hall of thanks — with your preferred name, handle, and link — when the fix ships.
  • No legal threats. Ever. Reporting a vulnerability in good faith does not violate our terms of service.
  • Compensation for high-severity findings — currently swag + a public thanks. A monetary bounty program is on our roadmap (Q4 2026) once we have the customer revenue to fund it sustainably.

Hall of thanks

People who’ve responsibly disclosed to us. We’re early — this list is currently empty. We’d rather have an empty list than an inflated one. When real reports land, they’ll appear here.

No verified disclosures yet. Be the first — [email protected].

PGP / encrypted reports

Not yet published. We do not yet have a PGP key at a well-known URL. If your report is especially sensitive, email [email protected] with a brief summary (no exploit details) and we will arrange an out-of-band channel — phone, Signal, or a freshly-cut PGP key — before you share the full report. A standing PGP key + posted fingerprint is on the roadmap; when it lands, the well-known URL will return the key and we will update this section.

© 2026 OOretz Factory · We respect security researchers