Skip to content
← Policies

Bug Bounty Program

Introduction

At Sycamore Labs, Inc. (“Sycamore”, “we”, “us”, or “our”), security is foundational to our mission of building trusted, enterprise-grade AI systems.

We value the work of the security research community and welcome responsible disclosure of vulnerabilities. This Bug Bounty Program outlines how to report vulnerabilities, the scope of eligible systems, and the expectations for participating in this program.

Program Overview

This program is intended to encourage responsible security research and coordinated disclosure.

If you believe you have discovered a vulnerability in our systems, we ask that you report it to us in accordance with this policy so we can investigate and address it promptly.

Scope

In Scope

Sycamore Platform

  • Web applications and API endpoints
  • Authentication and authorization systems
  • Tenant isolation, sandboxing, and agent execution environments
  • Data storage, processing, and observability systems

Infrastructure

  • Cloud infrastructure and configurations
  • Network security controls
  • Containerization and sandbox escape vulnerabilities

Out of Scope

The following are not eligible under this program:

  • Third-party services, integrations, or dependencies not controlled by Sycamore
  • Social engineering (e.g., phishing, pretexting)
  • Physical security vulnerabilities
  • Denial of Service (DoS/DDoS) attacks or traffic flooding
  • Spam, content injection, or UI issues without a demonstrated security impact
  • Vulnerabilities requiring outdated or unsupported browsers, libraries, or platforms
  • Self-XSS or issues affecting only your own account without broader impact
  • Missing HTTP security headers (e.g., X-Frame-Options, Content-Security-Policy, CORS headers) without a demonstrated, exploitable security impact
  • Clickjacking or UI redressing on pages that do not contain authenticated or state-changing actions
  • CORS misconfiguration on public, unauthenticated endpoints
  • Theoretical vulnerabilities or automated scanner output without a working proof of concept demonstrating real-world impact
  • Reports that are generic, templated, or not specific to our application
  • Reports that are fully AI-generated without meaningful human review, fabricated, or contain hallucinated endpoints or proof of concepts
  • Missing or misconfigured SPF, DKIM, or DMARC records
  • Software version or server banner disclosure (e.g., web server or framework version in HTTP headers)
  • SSL/TLS configuration issues (e.g., weak cipher suites, protocol version support) without a demonstrated exploit
  • Presence of publicly accessible files such as robots.txt, sitemap.xml, or .well-known paths
  • Open redirects that are not chained with another vulnerability to demonstrate impact
  • Missing rate limiting without a concrete, demonstrated abuse scenario
  • Content spoofing or text injection without script execution or meaningful security impact
  • CSV or formula injection in exported files
  • Logout CSRF or CSRF on non-sensitive actions (e.g., changing language or theme preferences)

Vulnerability Categories

We prioritize the following classes of vulnerabilities:

Critical

  • Remote code execution (RCE)
  • SQL injection or equivalent injection flaws
  • Authentication or authorization bypass
  • Sandbox or container escape
  • Privilege escalation across tenants or roles

High

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Insecure direct object references (IDOR)
  • Server-side request forgery (SSRF)
  • Exposure of sensitive data

Medium

  • Information disclosure
  • Security misconfigurations with demonstrated impact
  • Weak or improper cryptographic practices

Low

  • Best practice violations
  • Minor information leaks without meaningful impact

Reporting Guidelines

How to Report

Submit all vulnerability reports using the form at the bottom of this page. Do not send reports via email.

What to Include

To help us triage quickly, please include:

Vulnerability Description

  • Clear explanation of the issue
  • Severity assessment
  • Potential impact

Steps to Reproduce

  • Detailed, step-by-step instructions
  • Proof of concept (PoC), code, or screenshots
  • Environment details (browser, OS, etc.)

Affected Components

  • URLs, endpoints, APIs, or features
  • Any relevant configuration or version details

Optional: Suggested Remediation

  • If you have recommendations, feel free to include them

Example Report

Subject: [Severity] Brief Description

Vulnerability Type: [e.g., XSS, SQLi]
Severity: [Critical/High/Medium/Low]
Affected Component: [URL or feature]

Description:
[Details]

Steps to Reproduce:
1. ...
2. ...

Impact:
[What could happen]

Proof of Concept:
[Code/screenshots]

Suggested Fix:
[Optional]

Rules of Engagement

You agree to:

  • Report vulnerabilities promptly and responsibly
  • Use only accounts and data you are authorized to access
  • Avoid accessing, modifying, or exfiltrating data belonging to others
  • Minimize impact to systems and users during testing
  • Provide reasonable time for remediation before public disclosure

You must not:

  • Access or attempt to access data that does not belong to you
  • Disrupt, degrade, or impair our services
  • Conduct denial-of-service or resource exhaustion attacks
  • Use social engineering against Sycamore employees or customers
  • Publicly disclose vulnerabilities before we have resolved them
  • Violate any applicable laws or regulations

Rewards and Recognition

We are currently formalizing our reward structure.

Reward amounts and eligibility criteria may be introduced or updated at our discretion.

Response Timeline

We aim to acknowledge and triage reports promptly. Actual response and remediation timelines may vary depending on severity, complexity, and impact, and are provided at our discretion. These timelines are targets, not commitments, and do not create any obligation or liability on the part of Sycamore.

Safe Harbor

If you conduct security research in good faith and in strict compliance with this policy, the Rules of Engagement, and all applicable laws:

  • We will not pursue legal action against you
  • We will consider your research authorized
  • We will work with you to understand and remediate the issue

Whether research was conducted in good faith and in compliance with this policy is determined by Sycamore in its sole discretion. This safe harbor does not extend to activities that violate any provision of this policy, applicable laws, or that compromise user data beyond what is strictly necessary to demonstrate the vulnerability.

Confidentiality

You agree not to publicly disclose any vulnerability without prior written approval from Sycamore.

We commit to working with you to coordinate responsible disclosure when appropriate.

Relationship to Terms

This program does not grant permission to test systems outside the defined scope or to violate our Terms of Use. All participation must comply with applicable laws and our Terms.

Updates to this Program

We may update or modify this Bug Bounty Program at any time.

Continued participation after updates constitutes acceptance of the revised policy.

Contact

For all vulnerability reports and program inquiries, please use the form below.

Submit a Report

Drag & drop your file here, or click to browse

PDF, DOC, DOCX, MD, HTML, up to 25 MB

 
# Policy: Bug Bounty Program

## Introduction

At Sycamore Labs, Inc. (“Sycamore”, “we”, “us”, or “our”), security is foundational to our mission of building trusted, enterprise-grade AI systems.

We value the work of the security research community and welcome responsible disclosure of vulnerabilities. This Bug Bounty Program outlines how to report vulnerabilities, the scope of eligible systems, and the expectations for participating in this program.

## Program Overview

This program is intended to encourage responsible security research and coordinated disclosure.

If you believe you have discovered a vulnerability in our systems, we ask that you report it to us in accordance with this policy so we can investigate and address it promptly.

## Scope

### In Scope

**Sycamore Platform**

- Web applications and API endpoints
- Authentication and authorization systems
- Tenant isolation, sandboxing, and agent execution environments
- Data storage, processing, and observability systems

**Infrastructure**

- Cloud infrastructure and configurations
- Network security controls
- Containerization and sandbox escape vulnerabilities

### Out of Scope

The following are not eligible under this program:

- Third-party services, integrations, or dependencies not controlled by Sycamore
- Social engineering (e.g., phishing, pretexting)
- Physical security vulnerabilities
- Denial of Service (DoS/DDoS) attacks or traffic flooding
- Spam, content injection, or UI issues without a demonstrated security impact
- Vulnerabilities requiring outdated or unsupported browsers, libraries, or platforms
- Self-XSS or issues affecting only your own account without broader impact
- Missing HTTP security headers (e.g., X-Frame-Options, Content-Security-Policy, CORS headers) without a demonstrated, exploitable security impact
- Clickjacking or UI redressing on pages that do not contain authenticated or state-changing actions
- CORS misconfiguration on public, unauthenticated endpoints
- Theoretical vulnerabilities or automated scanner output without a working proof of concept demonstrating real-world impact
- Reports that are generic, templated, or not specific to our application
- Reports that are fully AI-generated without meaningful human review, fabricated, or contain hallucinated endpoints or proof of concepts
- Missing or misconfigured SPF, DKIM, or DMARC records
- Software version or server banner disclosure (e.g., web server or framework version in HTTP headers)
- SSL/TLS configuration issues (e.g., weak cipher suites, protocol version support) without a demonstrated exploit
- Presence of publicly accessible files such as robots.txt, sitemap.xml, or .well-known paths
- Open redirects that are not chained with another vulnerability to demonstrate impact
- Missing rate limiting without a concrete, demonstrated abuse scenario
- Content spoofing or text injection without script execution or meaningful security impact
- CSV or formula injection in exported files
- Logout CSRF or CSRF on non-sensitive actions (e.g., changing language or theme preferences)

## Vulnerability Categories

We prioritize the following classes of vulnerabilities:

### Critical

- Remote code execution (RCE)
- SQL injection or equivalent injection flaws
- Authentication or authorization bypass
- Sandbox or container escape
- Privilege escalation across tenants or roles

### High

- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Insecure direct object references (IDOR)
- Server-side request forgery (SSRF)
- Exposure of sensitive data

### Medium

- Information disclosure
- Security misconfigurations with demonstrated impact
- Weak or improper cryptographic practices

### Low

- Best practice violations
- Minor information leaks without meaningful impact

## Reporting Guidelines

### How to Report

Submit all vulnerability reports using the form at the bottom of this page. Do not send reports via email.

### What to Include

To help us triage quickly, please include:

**Vulnerability Description**

- Clear explanation of the issue
- Severity assessment
- Potential impact

**Steps to Reproduce**

- Detailed, step-by-step instructions
- Proof of concept (PoC), code, or screenshots
- Environment details (browser, OS, etc.)

**Affected Components**

- URLs, endpoints, APIs, or features
- Any relevant configuration or version details

**Optional: Suggested Remediation**

- If you have recommendations, feel free to include them

### Example Report

```
Subject: [Severity] Brief Description

Vulnerability Type: [e.g., XSS, SQLi]
Severity: [Critical/High/Medium/Low]
Affected Component: [URL or feature]

Description:
[Details]

Steps to Reproduce:
1. ...
2. ...

Impact:
[What could happen]

Proof of Concept:
[Code/screenshots]

Suggested Fix:
[Optional]
```

## Rules of Engagement

**You agree to:**

- Report vulnerabilities promptly and responsibly
- Use only accounts and data you are authorized to access
- Avoid accessing, modifying, or exfiltrating data belonging to others
- Minimize impact to systems and users during testing
- Provide reasonable time for remediation before public disclosure

**You must not:**

- Access or attempt to access data that does not belong to you
- Disrupt, degrade, or impair our services
- Conduct denial-of-service or resource exhaustion attacks
- Use social engineering against Sycamore employees or customers
- Publicly disclose vulnerabilities before we have resolved them
- Violate any applicable laws or regulations

## Rewards and Recognition

We are currently formalizing our reward structure.

Reward amounts and eligibility criteria may be introduced or updated at our discretion.

## Response Timeline

We aim to acknowledge and triage reports promptly. Actual response and remediation timelines may vary depending on severity, complexity, and impact, and are provided at our discretion. These timelines are targets, not commitments, and do not create any obligation or liability on the part of Sycamore.

## Safe Harbor

If you conduct security research in good faith and in strict compliance with this policy, the Rules of Engagement, and all applicable laws:

- We will not pursue legal action against you
- We will consider your research authorized
- We will work with you to understand and remediate the issue

Whether research was conducted in good faith and in compliance with this policy is determined by Sycamore in its sole discretion. This safe harbor does not extend to activities that violate any provision of this policy, applicable laws, or that compromise user data beyond what is strictly necessary to demonstrate the vulnerability.

## Confidentiality

You agree not to publicly disclose any vulnerability without prior written approval from Sycamore.

We commit to working with you to coordinate responsible disclosure when appropriate.

## Relationship to Terms

This program does not grant permission to test systems outside the defined scope or to violate our [Terms of Use](/policies/terms). All participation must comply with applicable laws and our Terms.

## Updates to this Program

We may update or modify this Bug Bounty Program at any time.

Continued participation after updates constitutes acceptance of the revised policy.

## Contact

For all vulnerability reports and program inquiries, please use the form below.