Boundless API welcomes responsible security research.
Reporting a Vulnerability
Email security@boundlessapi.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information
Please do not publicly disclose before we have had reasonable time to respond.
What to Expect
| Timeline | Action |
|---|---|
| 24 hours | Acknowledgment of report |
| 72 hours | Initial assessment |
| 30 days | Target fix for critical issues |
| 90 days | Coordinated disclosure (if applicable) |
Scope
In scope:
- api.boundlessapi.com
- boundlessapi.com and dashboard
- Authentication and authorization flaws
- Data exposure vulnerabilities
- Injection attacks
Out of scope:
- Social engineering
- Physical attacks
- Denial of service attacks
- Issues in third-party services (report to provider)
- Bugs in upstream model providers
Safe Harbor
We will not pursue legal action against researchers who:
- Act in good faith
- Avoid privacy violations and data destruction
- Do not access data beyond what is necessary to demonstrate the issue
- Report promptly and keep findings confidential until resolved
Recognition
We maintain a security acknowledgments page (optional) for researchers who report valid issues. No bounty program at launch — under evaluation.
Contact
security@boundlessapi.com
PGP key: [TBD — publish before launch]