Skip to main content

Vulnerability Disclosure

AxonFlow welcomes security reports from customers, evaluators, and independent researchers. This page explains the reporting path and the information that helps us triage quickly.

Security Contact

Report suspected vulnerabilities to:

  • [email protected]
  • Public policy URL: https://getaxonflow.com/security/
  • Machine-readable contact file: https://getaxonflow.com/.well-known/security.txt

Do not include production secrets, customer data, personal data, or regulated records in the first report. If a reproduction needs sensitive material, describe the shape of the data and we will coordinate a safer exchange path.

What To Include

A useful report usually includes:

  1. The affected component or deployment mode.
  2. The exact version, commit, image tag, or plugin version where possible.
  3. Reproduction steps, including request paths, CLI commands, or screenshots.
  4. Expected behavior and observed behavior.
  5. Security impact: data exposure, authentication bypass, tenant isolation issue, privilege escalation, denial of service, or integrity risk.
  6. Whether the issue affects Community, Evaluation, Enterprise, SaaS, In-VPC, self-hosted, or a plugin.

Scope

In scope:

  • Authentication and authorization flaws.
  • Tenant isolation or row-level security bypasses.
  • Credential, token, or secret exposure.
  • Policy enforcement bypasses on governed request paths.
  • Audit-record integrity issues.
  • Connector behavior that exposes data outside the configured boundary.
  • Cross-site scripting, CSRF, or session handling issues in the customer portal.

Out of scope:

  • Social engineering.
  • Denial-of-service tests that degrade shared services.
  • Reports that depend only on outdated browsers or unsupported operating systems.
  • Generic dependency findings without an exploitable AxonFlow path.
  • Claims about model quality, hallucination, or statistical bias unless they create a concrete security or privacy issue in AxonFlow's runtime controls.

Coordinated Handling

We aim to acknowledge credible reports promptly, validate the affected surface, and communicate remediation status to the reporter. Timing depends on impact, affected editions, whether a customer deployment is involved, and whether the fix requires coordinated release across plugins, containers, or hosted services.

Please give us a reasonable opportunity to investigate and remediate before public disclosure. We do not currently operate a paid bug bounty program.

Last updated on