A simple disclosure path for good-faith security research, procurement review, and security-contact automation.
Send suspected vulnerabilities to [email protected]. Include the affected component, reproduction steps, impact, and whether the issue affects hosted, self-hosted, SDK, plugin, or documentation surfaces.
AxonFlow does not currently operate a paid bug-bounty program. Reports are still welcome and will be reviewed in good faith.
| In Scope | Out of Scope |
|---|---|
| Authentication, authorization, tenant isolation, data exposure, encryption configuration, security-sensitive API behavior, and shipped SDK/plugin behavior. | Denial-of-service testing, social engineering, spam, physical attacks, third-party services not operated by AxonFlow, and findings that require harming customer or production data. |
If you act in good faith, avoid privacy violations, avoid service disruption, do not access or modify data that is not yours, and give AxonFlow reasonable time to investigate before public disclosure, we will not pursue legal action for the security research itself.
If a test accidentally exposes sensitive data or affects service availability, stop testing and report what happened immediately.
