Security Disclosure Policy
Effective July 9, 2026 · Version 1
We take the security of Pluripo and its users seriously. If you believe you have found a security vulnerability in Pluripo, we want to hear from you, and we appreciate your help in disclosing it responsibly.
How to report
Email security@pluripo.com with a description of the issue. A machine-readable version of this contact is published at /.well-known/security.txt per RFC 9116.
Please include, where you can:
- A clear description of the vulnerability and its potential impact.
- The steps, requests, or proof-of-concept needed to reproduce it.
- The affected component (for example, the web app, the marketing site, the API, or the editor extension) and any relevant URLs.
- How you would like to be credited, if at all.
Scope
This policy covers the Pluripo service and its official properties, including pluripo.com, the Pluripo API and web app, and the official Pluripo editor extension and desktop app.
The following are out of scope: findings that require physical access to a user’s device; social-engineering, phishing, or spam; denial-of-service and volumetric attacks; automated scanner output without a demonstrated, exploitable impact; and reports about third-party services we rely on (please report those to the relevant provider). Actions the autonomous agent takes within your own environment at your instruction are a product behavior, not a vulnerability — see the Terms of Service.
Responsible disclosure
When you report a vulnerability in good faith under this policy, we ask that you:
- Give us a reasonable opportunity to investigate and remediate before disclosing it publicly.
- Avoid accessing, modifying, or deleting data that is not your own, and avoid degrading the service for other users.
- Do not exploit the issue beyond the minimum needed to demonstrate it.
Good-faith research conducted in accordance with this policy is welcome, and we will not pursue action against researchers for such research. This policy does not grant permission to act in ways inconsistent with the Acceptable Use Policy or applicable law.
What to expect
We will acknowledge your report, keep you informed as we investigate, and work to remediate confirmed issues as quickly as is practical given their severity. We are a small team and cannot guarantee a specific response time, but we read every report.
Contact
Security reports: security@pluripo.com