Security & Responsible Disclosure

We take security seriously. If you find a vulnerability, we want to hear from you — no bug bounty programme yet, but we acknowledge every valid report and fix issues promptly.

How to report

Email security@claudit.consulting with a description of the issue. Please include:

A description of the vulnerability and its potential impact
Steps to reproduce, or a proof-of-concept (URL, screenshot, or request/response)
The URL or component affected
Your name or handle if you'd like credit (optional)

You can also use /.well-known/security.txt to find our contact details programmatically.

What to expect

Acknowledgement

Within 2 business days

We confirm receipt of your report and assign a tracking ID.

Triage

Within 5 business days

We assess severity, reproduce the issue, and determine impact scope.

Fix & verification

Depends on severity

Critical issues target a patch within 7 days. High within 30 days. We'll keep you updated.

Disclosure

Coordinated with you

We coordinate public disclosure timing with you. We don't disclose without your knowledge.

Scope

In scope

✓claudit.consulting and all subdomains
✓Authentication and session handling
✓API endpoints and rate limiting
✓Prompt injection and LLM output manipulation
✓XSS, CSRF, and injection vulnerabilities
✓Insecure direct object references (IDOR)
✓Data exposure or privacy leaks

Out of scope

–Denial of service attacks
–Social engineering of Claudit staff
–Physical security
–Vulnerabilities in third-party services (Anthropic, Supabase, Railway) — report those to them directly
–Issues requiring unlikely user interaction or social engineering

Rules of engagement

Only test against accounts you own or have explicit permission to test.
Do not access, modify, or delete data belonging to other users.
Do not perform automated scanning at a rate that degrades service for other users.
Give us reasonable time to fix before public disclosure.

Researchers who follow these guidelines will not face legal action from us for their security research.

Bug bounty

We don't currently run a formal paid bug bounty programme. We do publicly acknowledge researchers (with permission) in our Trust & Security page and aim to add a formal programme once we reach sufficient scale. A formal programme is planned — check back.

Security contact

security@claudit.consulting — PGP key available on request.