← Securitysecurity@ibcopilot.ai

Coordinated vulnerability disclosure

If you believe you've found a security issue in IB Copilot, we'd rather hear about it from you than read about it on Twitter. This page explains how to report, what's in scope, and what you can expect from us in return.

How to report

  • Email security@ibcopilot.ai. Encrypt with PGP if the issue is sensitive — reply to that thread and we'll exchange keys.
  • Include: a description of the issue, affected endpoint or URL, steps to reproduce, and the impact you believe it has.
  • If you've written a proof-of-concept, attach it. We promise not to use it against you.

Our commitments to you

Initial acknowledgment within 2 business days — a real human replying, not just a ticket number.

Triage + severity assessment within 5 business days.

Fix and redeploy within 90 days for most issues; critical issues (RCE, auth bypass, cross-tenant data access) are prioritized and typically shipped within 7 days.

Public credit in our hall of fame (if you want it) once the fix is deployed. You choose the name and link.

No legal action against anyone who follows this policy in good faith. See safe harbor below.

Scope

In scope:

  • Authentication and authorization flaws (IDOR, privilege escalation, session issues)
  • Cross-tenant data exposure in any workspace or deal
  • Remote code execution, command injection, SQL injection
  • Cross-site scripting (XSS), cross-site request forgery (CSRF)
  • Sensitive data exposure (credentials, tokens, PII) in responses, logs, or error pages
  • Server-side request forgery (SSRF)
  • Vulnerabilities in ibcopilot.ai, api.ibcopilot.ai, or any subdomain under our control

Out of scope:

  • Denial of service attacks. Don't flood our servers to "prove" a vuln.
  • Social engineering, phishing, physical security
  • Self-XSS or issues requiring the victim to paste malicious JS into their own console
  • Missing security headers with no demonstrable impact
  • Reports from automated scanners with no manual verification
  • Issues in third-party infrastructure (Railway, Vercel, Stripe) — report those to the respective vendor, we'll coordinate if needed

Safe harbor

We will not pursue civil, criminal, or administrative action against anyone who:

  • Accesses, modifies, or exfiltrates only the minimum data necessary to demonstrate a vulnerability
  • Does not publicly disclose the vulnerability before we have released a fix, or 90 days after initial report, whichever comes first
  • Does not use the vulnerability to harm users, the service, or the company
  • Acts in good faith and reports through the channels described above

This is intentionally worded broadly — we'd rather err on the side of protecting researchers than nit-pick whether a particular action technically violated some ToS clause. If you're not sure whether what you want to test falls in scope, email us first.

What we ask in return

  • Give us a reasonable window (90 days by default) to fix before going public.
  • Don't test on customer data — create your own test account.
  • Don't run brute-force or other automated attacks that could degrade service.
  • Don't exfiltrate data from other users, even to prove a point. A screenshot of your own test account is enough.

Hall of fame

We'll list researchers who have reported valid issues here once we have any. If you're the first, you get to pick the format.

Last updated: April 2026

Machine-readable contact: /.well-known/security.txt