NewEarly access is open. Apply now.

security & responsible disclosure

Last updated: July 9, 2026

Aquin Labs takes the security of the Aquin CLI, web dashboard, APIs, and related infrastructure seriously. If you believe you have found a security vulnerability, we want to hear from you.

This policy describes how to report security issues responsibly and what you can expect from us. It applies to services operated by Aquin Labs at aquin.app and related domains, including the CLI sync API and authentication systems.

scope

We welcome reports covering, for example:

  • Authentication, authorization, or session flaws
  • Cross-account data access or CLI inbox exposure
  • API key or CLI token leakage, misuse, or bypass
  • Injection, SSRF, or remote code execution in web or API surfaces
  • Insecure data handling in cloud-synced command records
  • Privilege escalation in the web dashboard or admin flows

out of scope

The following are generally out of scope for this program:

  • Vulnerabilities in third-party services (Supabase, Vercel, Cloudflare, Dodo Payments, Hugging Face, model providers) unless they directly and demonstrably affect Aquin Labs accounts or data
  • Social engineering, phishing, or physical attacks against Aquin Labs staff or users
  • Denial-of-service attacks or automated scanning that degrades service for other users
  • Issues in user-owned local environments, custom model weights, or third-party Hugging Face repositories
  • Missing security headers or best-practice hardening with no demonstrated exploit
  • Bugs in open source dependencies without a working proof of concept against Aquin

how to report

Email security@aquin.app with as much detail as possible. If you cannot reach that address, use aquin@aquin.app and mark the subject line "Security Report".

Please include:

  • A clear description of the issue and its potential impact
  • Steps to reproduce, including URLs, endpoints, or CLI commands
  • Proof of concept, screenshots, or logs where available
  • Your contact information for follow-up

Do not include live exploitation against production accounts you do not own. Use test accounts where possible.

responsible testing

When investigating a potential issue:

  • Do not access, modify, or delete data belonging to other users
  • Do not disrupt Aquin services for other customers
  • Do not publicly disclose the issue before we have had a reasonable chance to fix it
  • Follow our Acceptable Use Policy

Aquin Labs supports good-faith security research conducted within these boundaries. We will not pursue legal action against researchers who report issues responsibly and in accordance with this policy.

what to expect

We aim to acknowledge reports within 3 business days. We will work to validate, prioritize, and remediate confirmed issues as quickly as practicable. We may request additional information and will keep you informed of material status changes when appropriate.

Aquin Labs does not currently operate a paid bug bounty program. We may, at our discretion, recognize valuable reports with credit or other acknowledgment.

coordinated disclosure

We ask that you give us a reasonable period to investigate and remediate before any public disclosure. For most issues, we request at least 90 days unless a fix is available sooner or the issue is already public. We will work with you on disclosure timing and may publish advisories when fixes are deployed.

contact

Security reports: security@aquin.app

General inquiries: aquin@aquin.app

See also our Terms of Service and Privacy Policy.

questions? reach out to us at security@aquin.app

Work with us

Interpretability tooling, custom SAE databases, mechanistic audits, circuit reports, and hands-on research, experiments, and studies for teams of all sizes. Reach us at aquin@aquin.app

Book a call

Not sure if Aquin is right for you?

Aquin