Responsible disclosure.

Scope

This guidance covers the public Axiom website at axiomgo.ai and assets we clearly operate. If you are a pilot participant and find an issue in the product console, please report it the same way and mention your pilot so we can route it quickly.

How to report

Email security@axiomgo.ai with enough detail for us to reproduce the issue. Helpful reports usually include:

• a clear description of the vulnerability and its potential impact;
• step-by-step instructions or a proof of concept to reproduce it;
• the affected URL, page, or endpoint;
• any relevant logs, requests, or screenshots.

What to expect

We will be straight with you about timing rather than promise a formal SLA we cannot guarantee:

• we aim to acknowledge good-faith reports promptly;
• we will keep you reasonably updated as we investigate;
• we will let you know when an issue is resolved, and we are happy to credit you if you would like.

Safe-harbour expectations

If you make a good-faith effort to follow this guidance, meaning you access only your own data, avoid privacy violations and service disruption, and give us a reasonable chance to respond before disclosing publicly, we will treat your research as authorised and will not pursue or support action against you for it. If in doubt about whether something is in scope, ask us first.

Please avoid

• accessing, modifying, or deleting data that is not your own;
• denial-of-service testing, automated high-volume scanning, or anything that degrades the service for others;
• social engineering of our team, customers, or partners;
• publicly disclosing an issue before we have had a reasonable chance to address it.

Rewards

We do not currently run a paid bug-bounty programme, so we cannot promise a monetary reward. We genuinely value the help, will always thank you, and will offer public credit where you would like it. If we introduce a bounty in future, we will say so here.

Read our security posture →