Autonomi logo
Security · AUTONOMi

Responsible Disclosure

Security Contact
security@autonomitech.com
Triage Window
2 business days
Disclosure Window
90 days (default)
Last Updated
May 3, 2026
ComplianceGood-faith security research is welcomed and protected by safe-harbor (Section 7). Coordinate before disclosing — we will work with you.

1. Our Commitment

AUTONOMi welcomes responsible reports of security vulnerabilities. Our platform handles dealer business data, campaign budgets, and authentication tokens for ad platforms — we take that trust seriously and treat security research as a partnership.

This page describes what's in scope, how to report, what we commit to in return, and the safe-harbor terms under which good-faith research will not result in legal action.

2. Reporting a Vulnerability

Send all reports to security@autonomitech.com. We aim to acknowledge receipt within 2 business days and provide an initial assessment within 5 business days.

Include in your report:

  • A clear description of the vulnerability.
  • Affected URLs, endpoints, or product surfaces.
  • Step-by-step reproduction instructions, including any required account state.
  • Proof-of-concept payloads or screenshots.
  • An assessment of impact: data exposure, privilege escalation, denial of service, etc.
  • Whether you've shared the vulnerability with anyone else or published it.

For sensitive reports, you may encrypt with our PGP key (available on request to security@autonomitech.com with subject line "PGP key request"). We are working on publishing the key fingerprint inline; until then, request via email and we will respond within one business day.

3. In Scope

The following production systems are in scope for security research:

  • engine-service-t77egxlroa-ue.a.run.app — Engine API + AEGIS agent runtime.
  • app-service-t77egxlroa-ew.a.run.app — Dealer application.
  • landing-t77egxlroa-ew.a.run.app — Marketing, checkout, signup.
  • Authenticated API endpoints under /api/*.
  • OAuth + credential flows for connected ad-platform accounts.
  • Customer-data isolation between dealer accounts (multi-tenant boundaries).
  • DealerDecisionAudit hash-chain integrity (any tamper or forgery vector).
  • AXIOM compliance gate bypass paths.

4. Out of Scope

The following are not eligible for safe harbor and we ask that you do not test them:

  • Third-party services we integrate with (Google, Meta, Microsoft, TikTok, YouTube, Stripe, Anthropic, Sentry, Make.com) — report directly to those providers.
  • Denial-of-service or volumetric attacks, including layer-7 stress testing.
  • Social-engineering attacks against AUTONOMi employees, customers, or contractors.
  • Physical attacks against AUTONOMi facilities or hardware.
  • Automated vulnerability scanners that generate excessive traffic without human triage of findings.
  • Brute-force attacks against authentication endpoints; account enumeration via timing differences.
  • Reports of missing security headers (e.g., HSTS, CSP, X-Frame-Options) without demonstrated exploitability.
  • Outdated browser warnings, TLS configuration concerns without a concrete attack path.
  • Vulnerabilities in third-party dependencies that have a published patch we have not yet applied (please report anyway, but they are typically lower priority).

5. Severity & Response Expectations

We classify reports using a CVSS-aligned scale and commit to the following response cadence:

SeverityTriagePatch Target
Critical (account takeover, data exfiltration, ledger forgery)4 hours72 hours
High (privilege escalation, sensitive data leak)1 business day14 days
Medium (CSRF on non-critical endpoints, IDOR with limited blast radius)3 business days30 days
Low (information disclosure, minor logic flaws)5 business days60 days

6. Coordinated Disclosure

Our default disclosure window is 90 days from the date we acknowledge your report. We may request an extension for complex remediations; we will not require silence past 90 days for any vulnerability we have not patched, unless mutually agreed in writing.

We will credit researchers in our security acknowledgements page (publishing soon) unless you prefer to remain anonymous. Please indicate your preference in the original report.

7. Safe Harbor

AUTONOMi will not initiate or support legal action against security researchers who:

  • Make a good-faith effort to comply with this policy and avoid harm to AUTONOMi, our customers, and our integrations.
  • Limit testing to systems explicitly in scope (Section 3).
  • Use only test accounts they own; do not access, modify, or exfiltrate other customers' data.
  • Stop testing immediately upon discovery and report promptly.
  • Do not publicly disclose the vulnerability before AUTONOMi has had a reasonable opportunity to address it (per Section 6).

This safe-harbor commitment is binding for AUTONOMi but does not waive third-party rights. We cannot speak for our sub-processors or integration platforms; if your testing inadvertently impacts a third party, you remain subject to their terms and applicable law.

8. Bug Bounty

AUTONOMi does not currently operate a paid bug bounty program. We acknowledge researchers publicly (with consent) and provide AUTONOMi merchandise, swag, and direct introductions to our engineering team for substantial findings.

A formal monetary bounty program is on our roadmap and will be announced here when launched. Researchers who report critical findings during the pre-launch period will be invited to the private bounty program when it opens.

9. Contact

For security reports: security@autonomitech.com.
For all other inquiries: contact us via the standard channel.