Responsible Disclosure

Security researchers can report vulnerabilities in Workweaver products and services through the channel below. This page is the human-readable policy referenced by /.well-known/security.txt.

Report issues to security@bitfoundry.ai (monitored alias).

What to include

  • Description of the vulnerability and affected URLs or components.
  • Steps to reproduce, with proof-of-concept if available.
  • Estimated impact (confidentiality, integrity, availability, tenant isolation).
  • Your contact information for follow-up.

Safe harbor

We support good-faith research. We will not pursue legal action against researchers who avoid privacy violations, service degradation, and data destruction; who do not exploit issues beyond demonstration; and who report promptly and allow reasonable remediation time before public disclosure.

Out of scope

  • Denial-of-service or load tests against production without prior approval.
  • Social engineering of employees, customers, or partners.
  • Physical attacks or third-party services outside Bitfoundry.ai control.
  • Customer-owned integrations or misconfigurations outside our managed boundary.

Our commitment

  • Acknowledge receipt within 3 business days.
  • Provide a good-faith status update within 10 business days when validation is underway.
  • Coordinate disclosure timing when a fix is in progress.
  • Credit researchers in advisories when they wish to be named.

Effective date: June 23, 2026