Responsible Disclosure
Security researchers can report vulnerabilities in Workweaver products and
services through the channel below. This page is the human-readable policy
referenced by /.well-known/security.txt.
Report issues to security@bitfoundry.ai (monitored alias).
What to include
- Description of the vulnerability and affected URLs or components.
- Steps to reproduce, with proof-of-concept if available.
- Estimated impact (confidentiality, integrity, availability, tenant isolation).
- Your contact information for follow-up.
Safe harbor
We support good-faith research. We will not pursue legal action against researchers who avoid privacy violations, service degradation, and data destruction; who do not exploit issues beyond demonstration; and who report promptly and allow reasonable remediation time before public disclosure.
Out of scope
- Denial-of-service or load tests against production without prior approval.
- Social engineering of employees, customers, or partners.
- Physical attacks or third-party services outside Bitfoundry.ai control.
- Customer-owned integrations or misconfigurations outside our managed boundary.
Our commitment
- Acknowledge receipt within 3 business days.
- Provide a good-faith status update within 10 business days when validation is underway.
- Coordinate disclosure timing when a fix is in progress.
- Credit researchers in advisories when they wish to be named.
Effective date: June 23, 2026