Security

We take security seriously. If you've found a vulnerability in InfraPilot, we want to hear from you.

Report a vulnerability

Send findings to security@infrapilot.org. We acknowledge within 24 hours.

Report Now

How it works

STEP 01

Email us

Send your findings to security@infrapilot.org. Include a clear description, steps to reproduce, and the potential impact.

STEP 02

Acknowledgement within 24 hours

We'll confirm receipt within 24 hours and begin triaging. We'll keep you updated as we investigate.

STEP 03

Fix & credit

We'll work to fix confirmed issues promptly. With your permission, we'll credit you in the hall of fame below.

Scope

We're interested in vulnerabilities affecting infrapilot.org and the InfraPilot software itself.

Authentication and authorisation bypasses In scope

Remote code execution In scope

SQL injection or data exposure In scope

Privilege escalation In scope

Cross-site scripting (XSS) In scope

Sensitive data leakage In scope

Denial of service (DoS/DDoS) Out of scope

Social engineering or phishing Out of scope

Attacks requiring physical access Out of scope

Issues in third-party dependencies we don't control Out of scope

Guidelines

• Give us reasonable time to investigate and fix before public disclosure.

• Do not access, modify, or delete data belonging to other users.

• Do not perform automated scanning that degrades service for others.

• Act in good faith — we'll do the same.

• We don't have a formal bug bounty programme yet, but we credit researchers who report valid issues and may offer recognition or rewards at our discretion.

Hall of Fame

Thank you to the researchers who have helped keep InfraPilot secure.

Be the first — report a valid vulnerability and get credited here.

security@infrapilot.org →