Responsible Disclosure
How to report security vulnerabilities in ReplayCI.
Reporting a vulnerability
If you discover a security vulnerability in ReplayCI, please report it responsibly:
Email: [email protected]
What to include
- Description of the vulnerability
- Steps to reproduce
- Affected component (CLI, API, dashboard, etc.)
- Potential impact assessment
- Your contact information for follow-up
What to expect
| Step | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Status update | Within 10 business days |
| Resolution | Depends on severity and complexity |
Scope
In scope
- The ReplayCI dashboard (
app.replayci.com) - The ReplayCI API (
app.replayci.com/api/*) - The
@replayci/clinpm package (CLI) - Authentication and session management
- Data encryption and tenant isolation
- SecurityGate bypass vectors
Out of scope
- Third-party LLM provider APIs (OpenAI, Anthropic, etc.)
- Denial of service attacks
- Social engineering
- Physical security
- Issues in dependencies that are already publicly disclosed
Safe harbor
We will not take legal action against researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts they own or have explicit permission to test
- Report vulnerabilities promptly and provide reasonable time for remediation
- Do not exploit vulnerabilities beyond what's necessary to demonstrate them
Security contacts
- Vulnerabilities: [email protected]
- General questions: [email protected]