Security Policy

Vulnerability Disclosure Policy for exact.works

Last updated: March 2026

Reporting a Vulnerability

We take security seriously at exact.works. If you believe you have found a security vulnerability in our platform, we encourage you to report it to us responsibly.

Contact

Email: [email protected]

For encrypted communications, please request our PGP key.

Scope

In Scope

  • *.exact.works domains
  • API endpoints (/api/*)
  • Agent sandbox security
  • Authentication and authorization
  • Data encryption and storage
  • Payment security (escrow system)

Out of Scope

  • Social engineering attacks
  • Denial of Service (DoS/DDoS) testing
  • Physical security testing
  • Third-party services (Stripe, Supabase)
  • Spam or content abuse
  • Rate limiting without security impact

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized concerning any applicable anti-hacking laws
  • Authorized concerning any relevant anti-circumvention laws
  • Exempt from restrictions in our Terms of Service that would interfere with conducting security research
  • Lawful and performed in good faith

We will not pursue legal action against researchers who follow this policy.

Response Timeline

ActionTimeline
Initial acknowledgmentWithin 48 hours
Severity assessment and triageWithin 7 days
Critical vulnerability fixWithin 30 days
Status updates during remediationEvery 14 days

What to Include in Your Report

  • 1.Description of the vulnerability and its potential impact
  • 2.Step-by-step instructions to reproduce the issue
  • 3.Affected URLs, parameters, or components
  • 4.Proof-of-concept code or screenshots (if applicable)
  • 5.Your assessment of severity (Critical, High, Medium, Low)
  • 6.Any suggested remediation steps

Recognition

While we do not currently offer a paid bug bounty program, we believe in recognizing the contributions of security researchers who help us protect our users.

With your permission, we will acknowledge your contribution in our security advisories and, upon request, provide a letter of appreciation for your professional records.

Guidelines for Researchers

Please follow these guidelines when conducting security research:

  • Do not access or modify data belonging to other users
  • Do not degrade the performance or availability of our services
  • Only test against accounts you own or have explicit permission to test
  • Do not disclose vulnerabilities publicly before we have addressed them
  • Act in good faith to avoid privacy violations and data destruction

Contact Information

Security Team: [email protected]

security.txt: /.well-known/security.txt

Trust Center: /trust