Soarcery
Take the tourRequest a demo
Security

Responsible disclosure

Found a security issue? We want to hear from you, and we will not take legal action against good-faith research.

Last updated: 6 June 2026

On this page
How to reportSafe harborGuidelinesScopeOut of scopeWhat to expect

We build security software, so we hold ourselves to a high bar and we value the research community. If you believe you have found a vulnerability in Soarcery, please tell us.

How to report

Email security@soarcery.ai with enough detail for us to reproduce the issue: what you found, where, the steps to trigger it, and its potential impact. Proof-of-concept code or screenshots help. If you need to share sensitive details, ask us for an encrypted channel.

Safe harbor

We will not pursue or support legal action against researchers who, in good faith, follow this policy: who make a genuine effort to avoid privacy violations, data destruction, and service disruption, and who give us a reasonable chance to fix the issue before disclosing it publicly. If a third party brings action against you for activity conducted in line with this policy, we will make our authorization known. Authorization under this policy does not extend to actions that violate the law.

Guidelines

  • Only test against accounts and data you own or are explicitly authorized to use.
  • Do not access, modify, or delete data that is not yours, and stop at the point where you have demonstrated the issue.
  • Do not run denial-of-service tests, send spam, or use automated scanning that degrades the Service.
  • Do not socially engineer our team, customers, or vendors, and do not test physical security.
  • Give us a reasonable time to remediate before any public disclosure, and coordinate timing with us.

Scope

In scope: the Soarcery platform (app.soarcery.ai), this website (soarcery.ai), and our public-facing services. If you are unsure whether something is in scope, ask first.

Out of scope

Generally out of scope: findings from automated scanners without a demonstrated impact, missing best-practice headers without a concrete exploit, rate-limiting or denial-of-service issues, social engineering, and vulnerabilities in third-party services we do not control. We still appreciate a heads-up on anything that looks risky.

What to expect

We aim to acknowledge reports within three business days, keep you updated as we investigate, and let you know when the issue is resolved. We are an early-stage company without a paid bounty program yet, but we are glad to credit researchers who want recognition.