Runware logoRunware

Responsible Security Disclosure Policy

Overview

Runware welcomes responsible disclosure of security vulnerabilities that may impact the confidentiality, integrity, or availability of our systems.

This policy is intended to provide a safe, transparent way for security researchers to report legitimate vulnerabilities without creating unnecessary operational or legal risk for either party.

At this time, Runware operates a Responsible Disclosure Program, not a public bug bounty.

How to report a vulnerability

Please report potential security issues to: [email protected].

Include the following where possible:

  • A clear description of the issue
  • Affected asset(s) or endpoint(s)
  • Reproduction steps or proof of concept
  • The potential impact if exploited

Reports without sufficient detail may not be actionable.

Scope

This Responsible Disclosure Policy applies only to Runware-operated production services and demonstrable security vulnerabilities that result in:

  • Unauthorised access to data
  • Authentication or authorisation bypass
  • Cross-tenant data exposure
  • Privilege escalation
  • Remote code execution

The following are out of scope:

  • Denial of Service or traffic flooding
  • Rate limiting issues
  • Automated scanning or mass-reported findings
  • Best-practice or configuration recommendations without exploitability
  • Vulnerabilities in third-party services unless directly exploitable in Runware systems

Rules of Engagement

Researchers must:

  • Act in good faith
  • Avoid automated scanning, fuzzing, or brute-force attacks
  • Avoid accessing, modifying, or deleting customer data
  • Avoid disruption to production systems
  • Cease testing once a vulnerability is confirmed

Safe Harbour

Runware will not pursue legal action against individuals who:

  • Follow this policy
  • Act in good faith
  • Avoid privacy violations, data destruction, or service disruption

This safe harbour applies only to activities conducted within the scope of this policy.

Response expectations

  • We aim to acknowledge valid, in-scope reports within 5 business days
  • Remediation timelines depend on severity and business impact
  • We do not guarantee status updates or detailed responses
  • We do not currently offer financial rewards or bounties

Recognition

At this time, Runware does not operate a public hall of fame or bug bounty program.