Eudoxic
Get Started

Responsible Disclosure

Thank you for helping keep Eudoxic and our users safe. If you have found a security vulnerability, please report it privately using the channel below before disclosing it publicly.

Last updated: April 15, 2026

Report a vulnerability

Email us at security@eudoxic.ai. Include a detailed description of the issue, steps to reproduce, affected URLs or endpoints, and the potential impact. If possible, include a proof-of-concept. Please do not share details publicly until we have had a reasonable opportunity to investigate and respond.

Scope

In scope

  • eudoxic.ai and all subdomains
  • Eudoxic API endpoints
  • Authenticated user surfaces (workspaces, documents, chat, briefings)
  • Authentication and session handling
  • File upload and storage paths

Out of scope

  • Third-party vendors (Anthropic, OpenAI, Neon, Vercel) — report directly to them
  • Social engineering of Eudoxic staff or users
  • Physical attacks against Eudoxic infrastructure or personnel
  • Denial-of-service or volumetric attacks
  • Automated scanners producing only low-severity informational findings
  • Vulnerabilities requiring physical access to a user's device

Response timeline

We commit to the following response windows for good-faith reports that fall within scope:

Acknowledgment
Within 72 hours
Initial triage
Within 7 days
Critical severity fix
Within 30 days
High severity fix
Within 60 days
Medium severity fix
Within 90 days

Fix timelines are targets. Complex issues may take longer; we will keep you informed.

Safe harbor

We will not pursue legal action against security researchers who act in good faith and comply with this policy. Researchers who access, modify, or exfiltrate user data beyond what is strictly necessary to demonstrate the vulnerability, or who violate privacy laws or disrupt our services, are outside the scope of this safe harbor.

Research guidelines

  • Test only against accounts you own or have explicit permission to test.
  • Do not access, modify, or delete data that is not yours. If you inadvertently access such data, stop immediately and report it.
  • Do not run automated scans that degrade service for other users.
  • Give us a reasonable time to investigate and remediate before public disclosure.
  • Do not exploit findings beyond what is necessary to demonstrate impact.

Related

See our Security page for infrastructure, encryption, and data handling details. Our security.txt provides a machine-readable version of this contact information per RFC 9116.