CoordOS CoordOSConstruction Office

Security ยท Disclosure

Coordinated vulnerability disclosure policy.

Last reviewed: 2026-05-07

CoordOS welcomes reports from security researchers. This policy sets out how to report a vulnerability and what to expect from us.

How to report

Email security@coordos.ai. Encryption: PGP key fingerprint will be published at /security/coordos-pgp.txt.

Include:

  • A description of the vulnerability
  • Steps to reproduce
  • Affected URL or component
  • Any proof-of-concept code or screenshots
  • Your contact info (so we can ask follow-up questions)

What we commit to

  • Acknowledge your report within 24 business hours
  • Investigate and confirm / triage within 5 business days
  • Keep you informed of progress every 7 days until resolved
  • Credit you in our advisory (if you wish; we respect anonymity)
  • Not pursue legal action against good-faith researchers who follow this policy

Scope

In scope:

  • coordos.ai (marketing site)
  • app.coordos.ai (the portal)
  • The Twilio numbers we provision for tenants
  • Our APIs at api.coordos.ai
  • Our open-source repos under our org

Out of scope:

  • Third-party services (Intuit, Google, Twilio, Stripe). Report those directly to the vendor.
  • Customers' tenants you don't have explicit permission to test
  • Social engineering of CoordOS staff or customers
  • Physical attacks on offices
  • Denial-of-service attacks (please don't)

Safe harbor

We will not pursue civil or criminal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, or service interruption
  • Only target their own test accounts (or our staging environment)
  • Report vulnerabilities promptly
  • Do not exploit beyond proof of concept
  • Wait for our authorization before public disclosure

What's NOT a vulnerability

Reports we routinely close as not-applicable:

  • Missing security headers (already mitigated by Cloud Armor)
  • Self-XSS or attacks requiring victim cooperation we already block
  • Email spoofing without DMARC bypass
  • Issues in third-party libraries without an exploitable path in our app

Bug bounty

We don't run a paid bounty program at this stage but offer recognition and swag for valid reports. We'll re-evaluate adding a paid program post-SOC 2.