Legal

Responsible disclosure

Ultron welcomes reports from independent security researchers. This page explains what is in scope, how to send a report, what to expect after you send one, and the rules of engagement that keep testing safe for users and lawful for you.

Updated today

Scope

The programme covers the Ultron production application at the operating domains we control, the public API, the agent SDK, the marketing site, and the documentation site. It covers vulnerabilities in our own code and in our configuration of third-party services that materially affect customer security. The current in-scope domain list is published at 51ultron.com/.well-known/security.txt.

How to report

Send the report by email to security@51ultron.com. Use the PGP key published at our security.txt URL for anything you would prefer to keep encrypted in transit. We accept reports in English and Romanian.

What to include

A useful report contains:

  • A clear description of the vulnerability and the impact it allows.
  • The exact URL, endpoint, parameter, or feature affected.
  • Reproduction steps, with screenshots or HTTP requests where helpful.
  • Any proof-of-concept code, kept minimal and self-contained.
  • Your suggested severity and a brief justification.
  • How you want to be credited (name, alias, none).

Safe harbour

Good-faith security research conducted under this programme is authorised. Provided you follow the rules below, we will not initiate legal action against you, will not refer the conduct to law enforcement, will not ask your hosting provider to take action against you, and will not pursue claims under the Romanian computer crime statutes, the Computer Fraud and Abuse Act, or the equivalent in any other jurisdiction. If a third party brings legal action against you for activity conducted within the rules of this programme, we will make a reasonable effort to confirm publicly that the activity was authorised.

Out of scope

The following are not eligible for the programme:

  • Denial-of-service or volumetric attacks.
  • Findings from automated scanners without manual validation.
  • Theoretical issues without a demonstrated impact.
  • Reports about software versions, missing security headers, or cookie flags that do not have a concrete exploitation path.
  • Social engineering of our personnel or customers.
  • Physical attacks against offices or datacentres.
  • Findings against third-party services run by our subprocessors. Report those to the subprocessor.
  • Self-XSS where the only victim is the researcher.

What happens after you report

WhenWhat we do
Within 2 business daysWe acknowledge receipt and assign a tracking id.
Within 7 daysWe give an initial status update with our triaged severity and a preliminary remediation plan.
ContinuouslyWe keep you informed as we work on a fix. You can ask for an update at any time.
At remediationWe confirm the fix is live and invite you to verify.
After fixIf you want public credit, we add you to the recognition list and link to your write-up if you publish one.

Recognition

We do not run a paid bug bounty at this time. We do publish a recognition list of researchers who have reported valid vulnerabilities, with their consent. We also offer a written letter of acknowledgement on request, which has been useful to researchers seeking conference talks or employment references.

Rules of engagement

To stay within the safe harbour:

  • Test only against accounts you own or with the explicit consent of the account owner.
  • Do not access, modify, or destroy data that does not belong to you. If you accidentally do, stop and tell us.
  • Do not exfiltrate data beyond the minimum needed to demonstrate the vulnerability.
  • Do not pivot from one finding into infrastructure, internal networks, or other customers' tenants.
  • Do not run automated scanners against the production service. Manual exploration is fine; volumetric scanning is not.
  • Do not disclose publicly before we have shipped a fix. We aim for ninety days from triage; we will tell you if a fix needs longer and why.
  • Do not use any vulnerability to obtain commercial advantage or to harm a user.