Contact
Email: security@orgs.sh PGP: Our key on keys.openpgp.org Fingerprint:4F8A 7B19 C3D2 ... E7F6 C2D6
What we commit to
- Acknowledgment within 24 hours
- Initial triage within 72 hours
- Status updates at least weekly until resolved
- Public disclosure 90 days after report OR upon patch, whichever is sooner
- Credit in our security acknowledgments (opt-in)
- Bounty per the scale below, via our Security Research Program
Bounty scale
| Severity | Example | Bounty |
|---|---|---|
| Critical | Authentication bypass, key extraction, PII leak at scale | 25,000 |
| High | Privilege escalation, audit-chain manipulation, unauthorized disbursement | 10,000 |
| Medium | Logic flaws with limited exploitation, info disclosure | 2,500 |
| Low | UI issues, outdated dependencies with no known exploit | Hall of Fame mention |
Scope
In scope:- orgs.sh website and console
- api.orgs.sh endpoints
- Published SDKs (Rust, TypeScript, Python, Go, Swift, Kotlin)
- MCP server binaries
- Our hosted registered-agent pipeline
- Audit chain verification logic
- Third-party services we integrate with (Mercury, Relay, Meow, Anthropic, etc.)
- Vulnerabilities in underlying protocols (Solana, Sigil, Ethereum)
- Social engineering of Orgs employees
- Denial of service / volumetric attacks
- Clickjacking on non-auth-critical pages
Safe harbor
We offer safe harbor for good-faith security research:- Do not intentionally harm the confidentiality, integrity, or availability of data
- Do not modify, copy, or exfiltrate data not your own
- Do not violate any applicable law
- Give us a reasonable time to respond before public disclosure
Hall of Fame
Researchers who’ve helped us over the past year:- Q2 2026: @example1 — SSRF in registered-agent pipeline, severity HIGH
- Q1 2026: @example2 — auth-bypass via JWT misconfiguration, severity CRITICAL