Security Vulnerability Disclosure
1. Overview
Found a security bug in Arrowdot? Email [email protected] with a simple proof of concept. We acknowledge in 2 business days, triage in 5, and fix by severity. Please keep it private until we release a fix. We offer recognition, not bounties.
2. Purpose
We welcome good-faith security research. This policy explains what is in scope, how to report, how we respond, and the safe-harbor protections we offer.
3. Scope
In scope when owned or operated by Arrowdot:
- arrowdot.ai and subdomains
- Platform and APIs at _.arrowdot.app and _.arrowdot.ai
- Status and ancillary services under Arrowdot domains
Customer apps built on Arrowdot may live at *.arrowdot.app. If you believe an issue is in our platform, report it here and we will coordinate with the customer.
4. How to report
Send to [email protected] with:
- Summary and likely impact
- Affected host or endpoint
- Steps to reproduce or minimal PoC
- Screenshots or logs if helpful
- Your contact details and disclosure preference
Do not include live personal data. If you encounter it, stop and tell us.
5. Response targets
- Acknowledge: within 2 business days
- Triage and initial severity: within 5 business days
Remediation targets:
- Critical: target fix within 14 days, mitigations immediately
- High: 30 days
- Medium: 90 days
- Low: next planned release
We will update you at key points. If a target slips, we will explain and agree a new plan.
6. Rules of engagement
To qualify for safe harbor:
- Do not access, modify, or exfiltrate data that is not yours
- Do not degrade service or impact other users
- No social engineering, phishing, spam, or physical testing
- Use only accounts and assets you own
- Stop once you have enough evidence and delete artifacts after reporting
- Follow applicable laws at all times
7. In-scope examples
- Auth bypass, IDOR, privilege escalation
- Injection that leads to data access or code execution
- Stored or reflected XSS with meaningful impact
- Misconfigurations that expose sensitive data
- Broken access control on platform APIs or artifacts
- Significant SSRF, RCE, or path traversal
8. Out-of-scope examples
- Issues on third-party services outside our control
- Self-XSS, clickjacking on non-sensitive pages
- Missing security headers without a working exploit
- Rate limiting or brute force without impact
- Open redirects that do not enable credential theft
- Old CVEs without a viable exploit path in our setup
- Spam, SEO, or content moderation complaints (for AUP violations use [email protected])
9. Coordinated disclosure and credit
Please do not publish details until a fix is available and we agree a disclosure timeline together. We will credit you on our Hall of Fame if you wish, or keep you anonymous.
No cash bounties at this time.
10. Safe harbor
If you follow this policy in good faith, Arrowdot will not pursue legal action or report you to law enforcement for your research on in-scope systems. This does not cover actions that are illegal or harmful, or testing of systems not owned by Arrowdot.
11. Contact points
- Vulnerabilities: [email protected]
- Abuse or AUP violations in user-published apps: [email protected]
- Data protection questions: [email protected]