Vulnerability disclosure
We welcome reports from independent researchers. This page covers our scope, the SLA we promise, and how to send us encrypted reports.
How to report
- Email [email protected] with a minimal proof-of-concept and the affected URL or endpoint.
- For PII-bearing reports, please encrypt with our PGP key (below).
- We acknowledge within 1 business day and assign a triage owner within 3.
In scope
crawlmind.aiand*.crawlmind.ai(excluding marketing pages)api.crawlmind.ai: all routes- Public report viewer at
/r/<share-id>
Out of scope
- Marketing site copy & SEO content
- Third-party services we use (report to the vendor directly)
- Rate-limit bypass without demonstrated impact
- Issues requiring physical access to a customer device
Severity SLA (Q3.6)
| Severity | Acknowledgement | Remediation |
|---|---|---|
| Critical | 1 business day | 7 days |
| High | 2 business days | 30 days |
| Medium | 3 business days | 90 days |
| Low / Info | 5 business days | 180 days |
PGP key
Fingerprint: TBD: generated by ops on rollout
Public key download: security.asc (404 until the key is generated; see TODO below).
Safe harbour
We will not pursue legal action against researchers who follow this policy in good faith, avoid privacy violations, and give us a reasonable chance to fix issues before public disclosure.