Applies to authra.io and any materials linked from it that describe $ATRX or token-related mechanics.
Our commitment
We take the security of our users, contributors, and partners seriously. If you believe you’ve found a vulnerability, we’d like to work with you to triage and remediate it promptly.
Scope
In scope
Authra-operated web properties (e.g., authra.io, staging subdomains we control);
Public APIs/SDKs and documentation sites;
Authentication, authorization, data isolation, and crypto implementation issues.
Out of scope
Third-party services not controlled by Authra;
Social engineering, phishing, physical security;
Denial-of-service (DoS/DDoS), spam or volumetric attacks;
Clickjacking on pages without sensitive actions;
Missing security headers with no demonstrable impact;
Outdated libraries without a working exploit;
Rate-limit or brute-force findings without proof of data access or account compromise.
If you’re unsure whether something is in scope, email us before testing.
How to report
Email security@authra.io (or legal@authra.io if the security address bounces) with:
A clear description of the issue and affected domain/endpoint;
Step-by-step reproduction (minimal PoC), expected vs. actual behavior;
Impact assessment and plausible attack scenario;
Any logs or screenshots (redact secrets).
Please do not include personal data or secrets in your report. If you must share sensitive details, request a PGP key in your first email.
Safe harbor
We will not pursue civil action or referral to law enforcement for good-faith research that:
Accesses only what is necessary to demonstrate the issue;
Avoids privacy violations, data exfiltration, or service disruption;
Respects rate limits and does not degrade service for others;
Gives us a reasonable time to remediate before public disclosure;
Complies with applicable laws and sanctions restrictions.
This safe harbor does not apply to actions that are unlawful, exploitative after initial proof, or that put users at risk.
Our process & timelines
Acknowledgment: We typically reply within 3 business days.
Triage & priority: Within 7 business days, we aim to confirm severity and mitigation plan.
Remediation target: Severity-dependent; we will coordinate timelines case-by-case.
Coordinated disclosure: By default up to 90 days after acknowledgment, or earlier once fixed. We may request more time for complex issues.
Research rules of engagement
While testing, you agree to:
Not access, modify, or destroy data that isn’t yours;
Not attempt persistent access after demonstrating the issue;
Not run automated scanners against production at a rate that causes instability;
Stop testing and notify us immediately if you encounter user data or secrets.
Bounties & recognition
At present, we do not operate a public cash bug bounty. Where permitted, we may offer goodwill recognition (hall of fame credit, swag, or a discretionary reward) for novel, high-impact findings. If we later launch a formal bounty, separate terms will apply.
Severity guidance (informative)
Critical: Remote code execution; auth bypass; key/secret leakage; direct compromise of user data.
High: Significant privilege escalation; injection leading to sensitive data exposure; sandbox escapes.
Medium: CSRF on sensitive actions; stored XSS with meaningful impact; broken access control in non-critical paths.
Low/Info: Misconfigurations with limited impact; missing security headers with no exploit chain.
Third-party and protocol notes
If a vulnerability resides in a third-party library or upstream dependency, we may coordinate with that maintainer.
If issues affect open-source components, we may request responsible disclosure via the relevant project’s process.
Legal and sanctions notice
Do not test from, or on behalf of, sanctioned or embargoed jurisdictions, or if you are a restricted party. This policy does not authorize access or testing that would violate applicable laws.
Policy updates
We may update this policy; the Effective date will change accordingly.
Contact
hello@authra.io; rohan@authra.io
Disclaimers & Distribution Notice
Private & Confidential
This document has been prepared solely for informational purposes and contains high-level, confidential information relating to the Authra project. It contains confidential and proprietary information relating to Authra. By receiving or reviewing this document—whether as an intended recipient or otherwise—you acknowledge and agree that an obligation of confidentiality is implicitly created. By accessing or reviewing this document, you are deemed to have been placed on notice of its confidential nature and agree to treat its contents accordingly. You agree not to reproduce, distribute, or disclose this document or its contents, in whole or in part, without the prior written consent of Authra. Certain implementation details and sensitive information have been intentionally withheld and will only be made available under a duly executed Non-Disclosure Agreement (NDA). Nothing in this document constitutes an offer of securities, investment solicitation, or a binding commitment of any kind.