Security disclosure

Report an issue.
Know the process.

This page covers how to report vulnerabilities affecting Ekuri, what is in scope, and the response targets we publish for triage and incident communication.

Acknowledgment 48h

Target for confirming receipt of a security report.

Initial triage 5 days

Target for impact review and determining whether a report is accepted.

Status updates 7 days

Accepted reports receive progress updates at least weekly.

Breach notice 72h

Target for notifying affected customers after confirming a material customer-data incident.

Reporting

How to contact us

The preferred path is email. If you use the contact form, include Security report in the subject or message so it is triaged correctly.

Primary channels

What to include

  • Affected URL, endpoint, worker, or workflow
  • Clear reproduction steps
  • Expected impact and any prerequisites
  • Sanitized logs, screenshots, or proof-of-concept details
  • Whether customer data was accessed, modified, or exfiltrated
Scope

What is covered

We care most about bugs that could expose customer data, weaken access control, compromise the control plane, or undermine the default managed VPS security model.

In scope

  • ekuri.ai and first-party subdomains
  • Pages Functions under /auth/* and /api/*
  • VPS worker and manage-api control plane code in this repository
  • Managed VPS provisioning, update, backup, restore, and access-control paths

Out of scope

  • Social engineering, phishing, spam, or physical attacks
  • Denial-of-service testing
  • Third-party vulnerabilities with no Ekuri-specific exploit path
  • Attacks requiring credentials or account access you do not own
  • User-modified self-hosted environments outside Ekuri-managed infrastructure
Expectations

Researcher safe harbor and incident handling

We want responsible research, not theatrical exploitation. If you act in good faith, avoid privacy violations, and report promptly, we will treat your work as authorized.

Safe harbor

  • Stop once you have enough evidence to demonstrate the issue
  • Do not exfiltrate, retain, or publicly expose customer data
  • Do not modify or destroy data you do not own
  • Do not disclose publicly before we have had a reasonable chance to remediate

Incident communication

  • Acknowledge reports within 48 hours
  • Provide an initial triage result within 5 business days
  • Send weekly updates for accepted reports
  • Target customer notice within 72 hours of confirming a material customer-data incident
These are response targets, not guaranteed SLAs. We do not currently run a paid bug bounty program.
Evidence

Related public artifacts

We publish the documents and repository artifacts we expect reviewers to inspect.

Site documents

Repository documents

Last updated: March 26, 2026

Found something real?
Send the report.

The fastest path is email with exact reproduction steps and a short impact summary. Use the contact form only if email is unavailable.

Email [email protected] Open contact form