Vulnerability Disclosure Policy
How to report a security issue in CMMD. Scope, severity, safe harbor, coordinated disclosure, recognition. Public-facing.
If you found a security issue in CMMD, this is how to report it. Thank you for taking the time to help.
In short
Section titled “In short”We welcome security research on CMMD. Test responsibly, don’t access other users’ data, report what you find, and we’ll respond within 1 business day with a triage status. We do not have a formal bug bounty yet, but we publicly credit valid reports (with your permission) and we treat researchers as collaborators, not adversaries.
In scope
Section titled “In scope”cmmd.aiand all subdomains (*.cmmd.ai)- CMMD mobile apps (when shipped)
- CMMD API endpoints
- Authentication & authorization flows
- Multi-tenant isolation (org-scoping)
- Integrations layer (Composio sessions handling)
- Data handling in AI/Sidekick pipelines
Out of scope
Section titled “Out of scope”- Third-party services we use (Railway, Neon, PostHog, Anthropic, Composio) — please report directly to them
- Social engineering of CMMD employees
- Denial-of-service attacks (please don’t)
- Vulnerabilities in user-installed integrations (those are upstream)
- Physical access attacks
- Issues requiring rooted/jailbroken devices
- Speculative issues with no proof-of-concept
What we consider valid
Section titled “What we consider valid”| Severity | Examples | Response time |
|---|---|---|
| 🔴 Critical | Authentication bypass, cross-tenant data access, RCE, full account takeover, full DB read | Same day — drop everything |
| 🟠 High | Privilege escalation within an org, sensitive data exposure (partial), CSRF on critical actions | Within 3 business days |
| 🟡 Medium | Self-XSS, IDOR with minimal impact, session-fixation requiring user interaction | Within 7 business days |
| 🟢 Low | Information disclosure (e.g. version banners), open redirect with negligible impact | Best effort |
| 🚫 Not accepted | Theoretical issues with no PoC, missing security headers (with no exploitable impact), DoS, rate-limit bypasses without further impact | Closed with thanks |
How to report
Section titled “How to report”Email security@cmmd.ai with:
- Description — what the issue is, in 1–2 paragraphs
- Reproduction steps — exact, screenshot or video if helpful
- Impact assessment — what could an attacker achieve?
- Suggested fix — optional but appreciated
- Your contact info — for follow-up; anonymous reports OK but slower to resolve
We’ll respond within 1 business day with at minimum an acknowledgment and a triage timeline.
For very sensitive reports, you can encrypt with our PGP key (published at cmmd.ai/.well-known/security.txt — planned).
Safe harbor
Section titled “Safe harbor”We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, and disruption of service
- Test only against accounts they own (create a test account; do NOT poke other users’ data)
- Stop testing and notify us immediately upon discovering an issue that could affect production
- Give us a reasonable window to fix before any public disclosure (we aim for 90 days from triage to public disclosure for confirmed issues)
- Do not engage in extortion or threats
This is a commitment, not a legal contract, but it reflects how we will actually respond.
Coordinated disclosure
Section titled “Coordinated disclosure”Our default cadence:
- Day 0: You report; we acknowledge same business day
- Within 3 days: We confirm or deny the issue, share initial severity assessment
- Within 30 days: We aim to ship a fix (faster for critical/high)
- Day 90 (or earlier with your agreement): Public disclosure with credit (with your permission)
We’re flexible if you have a different timeline in mind — talk to us.
Recognition
Section titled “Recognition”Until we launch a formal bug bounty:
- Credit on our security page (with your permission)
- Direct line of communication for future research
- Swag for valid reports of medium+ severity
- Free CMMD Pro for 1 year for critical findings
A formal bug bounty program is planned post-SOC2 attestation.
What NOT to do
Section titled “What NOT to do”- 🚫 Access, modify, or delete data belonging to other users
- 🚫 Test on production accounts you don’t own
- 🚫 Publicly disclose before we’ve had a reasonable chance to fix
- 🚫 Engage in social engineering of CMMD staff or customers
- 🚫 Conduct denial-of-service testing
- 🚫 Submit AI-generated reports with no PoC (we will close them)
- 🚫 Use found vulnerabilities for anything beyond reporting
Contact
Section titled “Contact”- Reports: security@cmmd.ai
- General security questions: security@cmmd.ai
- Suspected ongoing attack: security@cmmd.ai with “URGENT” in subject