Terminus← Back to home

Security

Responsible Disclosure

Last updated: April 2026

Found a vulnerability?

Email our security team directly. We respond to all valid reports within 48 hours.

security@terminus.ai

48-Hour Response

We acknowledge every valid report within 2 business days.

Safe Harbor

We won't pursue legal action against good-faith researchers.

Public Credit

Opt in to be recognized in our security acknowledgements.

Our Commitment

At Terminus, security is foundational to everything we build. We govern AI agents for enterprises — our own security posture must be unimpeachable. We genuinely welcome reports from security researchers and the broader community. If you discover a vulnerability, we want to hear from you.

Scope

The following are in scope for responsible disclosure:

  • The Terminus SaaS platform (app.terminus.ai)
  • The Terminus public API and agent enforcement endpoints
  • The Terminus marketing website (terminus.ai)
  • Official Terminus open-source repositories on GitHub

The following are out of scope:

  • Denial of service attacks or volumetric testing
  • Social engineering or phishing attacks against Terminus employees
  • Physical security attacks
  • Vulnerabilities in third-party services we use (report directly to that vendor)
  • Self-XSS or issues requiring physical device access

What We Ask of You

  • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption
  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate (90 days)
  • Provide sufficient detail to reproduce the issue: steps, affected endpoint, proof-of-concept if applicable

What You Can Expect from Us

  • Within 48 hours: acknowledgement of your report
  • Within 7 days: initial triage and severity assessment
  • Within 90 days: remediation for critical/high severity issues
  • Regular updates on remediation progress for material issues
  • Safe harbor — we will not initiate legal action against researchers acting in good faith

Severity Classification

Critical

Remote code execution, authentication bypass, or mass data exfiltration

High

Privilege escalation, sensitive data exposure, or significant business logic flaws

Medium

Cross-site scripting (XSS), CSRF with meaningful impact, information disclosure

Low

Missing security headers, minor information leakage, low-impact configuration issues

How to Report

Send your report to security@terminus.ai. Please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Affected URLs, parameters, or endpoints
  • Screenshots, videos, or proof-of-concept code (if available)
  • Your preferred contact method for follow-up

For highly sensitive reports, you may request our PGP public key for encrypted communication.

Recognition

We do not currently offer monetary bug bounties. However, researchers who responsibly disclose valid vulnerabilities will be offered public acknowledgement in our Security Hall of Fame (with their consent) and a Terminus team mention. We're exploring a formal bounty program — stay tuned.