Sections

Vulnerability Disclosure Policy

ManticoreAI is committed to the security of our systems and the protection of our customers' data. We welcome responsible security research conducted in accordance with this policy.

Last updated: January 24, 2026

Introduction

At ManticoreAI, we consider the security of our systems a top priority. If you believe you have found a security vulnerability in any of our services, we encourage you to notify us. We will work with you to understand and address the issue promptly.

Scope

This policy applies to the following systems and services:

  • The ManticoreAI web application at manticore.ai and its subdomains
  • ManticoreAI APIs and backend services
  • ManticoreAI-owned infrastructure directly supporting customer-facing services

The following are not in scope:

  • Third-party services and applications integrated with ManticoreAI
  • Findings from physical testing (e.g., office access, tailgating)
  • Findings derived primarily from social engineering (e.g., phishing)
  • Findings from applications or systems not listed above

How to Report

When reporting a vulnerability, please include the following information:

  • A description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code, screenshots, or logs
  • The affected URL, endpoint, or component
  • Your assessment of the severity (Critical, High, Medium, Low)
  • Your contact information for follow-up questions

Please send all reports to security@manticore.ai. Encrypt sensitive reports using our PGP key if available.

Guidelines

When conducting security research, you must adhere to the following guidelines:

  • Only test against accounts you own or have explicit permission to test
  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service (DoS/DDoS) attacks
  • Do not perform actions that could degrade the experience for other users
  • Do not engage in social engineering of ManticoreAI employees or customers
  • Do not publicly disclose vulnerabilities before they have been resolved
  • Stop testing and report immediately if you encounter sensitive user data

What to Expect

After you submit a report, you can expect the following:

  • Acknowledgment: We will acknowledge receipt of your report within 3 business days
  • Assessment: Our security team will evaluate the report and determine its validity and severity
  • Updates: We will keep you informed of our progress as we work to resolve the issue
  • Resolution: We aim to resolve critical vulnerabilities within 30 days and will notify you when a fix is deployed
  • Recognition: With your permission, we will acknowledge your contribution once the vulnerability is resolved

Safe Harbor

ManticoreAI commits to the following for researchers who act in good faith:

  • We will not pursue legal action against researchers who comply with this policy
  • We will work with you to understand and resolve the issue
  • We consider activities conducted consistent with this policy to constitute "authorized" access under applicable law
  • If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will make this authorization known

We consider good faith security research to be activity that is:

  • Authorized under this Vulnerability Disclosure Policy
  • Limited to the scope defined in this policy
  • Reported to us in a timely manner
  • Not used for personal financial gain beyond any bug bounty program we may offer

Exclusions

The following issue types are generally considered out of scope:

  • Clickjacking on pages with no sensitive actions
  • CSRF on forms available to anonymous users (e.g., contact forms)
  • Missing security headers that do not lead to a direct vulnerability
  • Missing best practices without demonstrable security impact
  • Use of known-vulnerable libraries without a working proof of concept
  • Rate limiting or brute force issues on non-authentication endpoints
  • SPF/DKIM/DMARC configuration issues without demonstrated impact
  • Content injection without demonstrated security impact
  • Vulnerabilities requiring unlikely user interaction

Recognition

We appreciate the efforts of security researchers who help keep ManticoreAI and our users safe. With your permission, we are happy to publicly acknowledge your responsible disclosure.

To report a vulnerability, please contact us at security@manticore.ai.