We value the work of security researchers who help us maintain a secure platform for our customers. If you discover a potential security vulnerability in the Runplane website, APIs, dashboard, or infrastructure, we encourage you to report it to us through the process outlined below.
How to Report a Vulnerability
Please send vulnerability reports to our security team:
Security Contact
support@runplane.aiWhen submitting a report, please include the following information:
- -A clear description of the vulnerability and its potential impact
- -The affected endpoint, API route, page, or system component
- -Detailed steps to reproduce the vulnerability
- -Proof-of-concept code, screenshots, or logs if available
- -Your assessment of the potential security impact
- -Your contact information for follow-up communication
Rules of Engagement
To ensure responsible security research, we ask that researchers adhere to the following guidelines:
Act in good faith - Conduct research with the intent of improving security, not causing harm.
Protect privacy - Avoid accessing, modifying, or deleting data belonging to other users.
Minimize impact - Do not exploit vulnerabilities beyond what is necessary to demonstrate them.
Avoid service disruption - Do not perform denial-of-service attacks or actions that could degrade platform availability.
Allow remediation time - Provide reasonable time for Runplane to investigate and address issues before any public disclosure.
Our Commitment
When you report a vulnerability in good faith, Runplane commits to:
Acknowledge Reports
We will acknowledge receipt of credible vulnerability reports.
Investigate Thoroughly
We will investigate reported vulnerabilities and assess their impact.
Work to Remediate
We will work to address confirmed security issues appropriately.
Communicate Respectfully
We will maintain respectful communication throughout the process.
Out of Scope
The following types of reports are generally considered out of scope for our responsible disclosure program:
Spam, phishing, or social engineering attacks against Runplane employees or users
Missing security headers without demonstrated exploitability or security impact
Rate limiting observations without demonstrated abuse potential
Vulnerabilities in third-party services, libraries, or infrastructure outside Runplane's direct control
Theoretical vulnerabilities without proof of exploitability
Issues requiring physical access to a user's device or account credentials
Thank You
We appreciate security researchers who take the time to investigate and report vulnerabilities responsibly. Your efforts help us maintain a secure platform for organizations building governance systems for autonomous AI.