Vulnerability disclosure policy

• cockpitcopilot.io and all subdomains
• The CockpitCopilot Chrome extension, current production version
• /api/* endpoints

• Third-party services (Supabase, Vercel, Stripe, Anthropic) — report to them directly
• Social engineering of CockpitCopilot personnel
• Physical attacks
• Anything requiring access to credentials we haven't issued you

We won't pursue legal action against researchers who operate in good faith, stay within scope above, don't access or modify data that isn't theirs, and give us 90 days to remediate before public disclosure.

We're early and don't yet run a paid bug bounty. We do offer public credit on this page if you want it, a free Pro account for one year per valid finding, and a direct line to the team building this.

Contact security. PGP key on request. Initial response within 48 hours.