How to report a vulnerability — and what we commit to in return
AuthorityRail is execution authority infrastructure. A vulnerability in this layer can have outsized consequences for our customers’ downstream systems. We take security reports seriously, reward good-faith research with public credit, and commit to coordinated disclosure on a 90-day standard timeline.
A clear description of the vulnerability and its impact.
Reproduction steps — the more concrete, the faster we can act.
Any proof-of-concept code, screenshots, or HTTP captures.
Your name and any handle you’d like used for public credit (Hall of Fame), or a request to remain anonymous.
A PGP key fingerprint if you would like us to encrypt our reply.
We will acknowledge receipt within two (2) business days and follow up with a triage decision (in scope, out of scope, duplicate, or needs more information) within seven (7) business days.
Encrypted reporting
A PGP key for security@authorityrail.com is not yet published. Until it is, please send the report over TLS-protected email and avoid pasting raw exploitation material; instead, link to a private gist or self-controlled URL and rotate / redact after we acknowledge. When the PGP key is published, this page will list the fingerprint and the public-key URL.
What we commit to
Acknowledgement within two (2) business days. If you don’t hear back, resend or copy hello@authorityrail.com.
Coordinated disclosure on a 90-day standard window. From the date we acknowledge a valid in-scope report, we work to remediate and coordinate disclosure within 90 days. Extensions explained in writing with a revised date.
No legal action against good-faith researchers. AuthorityRail will not pursue or threaten legal action against researchers whose research follows this Policy. Public credit available on request.
Transparency with affected customers. When a vulnerability requires Customer action, we notify directly and surface guidance in the runbook system.
Honest disclosure post-fix. When a vulnerability and remediation are publicly disclosed, we say what happened and what we changed.
What we ask of researchers
To be eligible for the protections in the preceding section:
Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services.
Only interact with accounts you own, or with the explicit permission of the account holder. Do not attempt to access, modify, or delete other customers’ data.
Give us a reasonable time to investigate and remediate before any public disclosure.
Do not exploit the vulnerability beyond the minimum necessary to demonstrate it.
Do not exfiltrate any Customer Data. If you stumble onto Customer Data while researching, stop, document the path, do not retain copies, and report immediately.
Recognition
AuthorityRail does not currently offer a paid bug bounty. We do offer:
Public Hall of Fame credit (with consent) on this page or a sub-page once the first valid report is closed.
Private acknowledgement if the researcher prefers to remain anonymous.
Reference letters for academic / professional context where reasonable.
A paid bounty program may be introduced post-launch. When it is, this page will be updated with scope and reward bands. Researchers who already submitted valid reports under the no-bounty regime will not be retroactively eligible for cash awards (the no-bounty regime is the contract at the time of their submission), but their Hall of Fame credit transfers.
Scope
In scope
The AuthorityRail platform — services we run (Authority Gate, Voice Execution Gateway, Standards Site, Marketing Site, Customer Dashboard, Internal admin surfaces).
AuthorityRail-published code in github.com/AuthorityRail-ai/authorityrail — vulnerabilities in code we maintain.
AuthorityRail-published SDKs at packages/axap, packages/ar-sdk, packages/vex-sdk, packages/workforcerail-sdk, packages/plugin-langgraph, packages/plugin-crewai, and the related published npm packages.
The cryptographic chain of evidence — Ed25519 signing, JCS canonicalization, multi-key rotation, JWKS-shaped public-key feed, public CAR verification endpoint.
The dual-identity model and tenant-isolation enforcement (Postgres RLS).
Out of scope
Denial of service.DoS, distributed DoS, traffic floods, resource-exhaustion attacks. We use Cloudflare for edge protection and Railway-managed rate-limiting.
Social engineering.Phishing, vishing, smishing, or pretexting against AuthorityRail employees, contractors, customers, or vendors.
Physical attacks.Office break-ins, hardware tampering, evil-maid attacks against employee laptops, etc.
Supply-chain dependency vulnerabilities tracked upstream.We monitor and patch dependency advisories independently. Courtesy notification welcome but out of scope for this Policy’s protections.
Vulnerabilities in third-party services we use.Supabase, Anthropic, Stripe, Vapi, Railway, Cloudflare. Report to the relevant vendor. If the issue is in how AuthorityRail integrates with the third party, that IS in scope.
Self-XSS, clickjacking on pages without sensitive actions, missing security headers without demonstrated impact, "best-practice" findings with no demonstrated risk path.Appreciated as informational but not in scope for the protections of this Policy.
Existing public disclosures.Reports already filed elsewhere or tracked in our public security advisories. Duplicates do not earn additional credit.
If you are not sure whether your finding is in or out of scope, send the report anyway and we’ll triage it.
Safe harbor
To the extent your activities are conducted in good faith and consistent with this Policy, AuthorityRail will not pursue or support legal action against you under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) anti-circumvention provisions, the Texas Computer Crime statute, or analogous laws.
If your good-faith research violates a third party’s terms of service or law, this Policy cannot grant you the third party’s authorization. Authorization beyond AuthorityRail’s own systems is your responsibility.
This safe-harbor language is a commitment by AuthorityRail (the company); it does not bind any third party, regulator, or court.