security & responsible disclosure
Last updated: July 9, 2026
Aquin Labs takes the security of the Aquin CLI, web dashboard, APIs, and related infrastructure seriously. If you believe you have found a security vulnerability, we want to hear from you.
This policy describes how to report security issues responsibly and what you can expect from us. It applies to services operated by Aquin Labs at aquin.app and related domains, including the CLI sync API and authentication systems.
scope
We welcome reports covering, for example:
- Authentication, authorization, or session flaws
- Cross-account data access or CLI inbox exposure
- API key or CLI token leakage, misuse, or bypass
- Injection, SSRF, or remote code execution in web or API surfaces
- Insecure data handling in cloud-synced command records
- Privilege escalation in the web dashboard or admin flows
out of scope
The following are generally out of scope for this program:
- Vulnerabilities in third-party services (Supabase, Vercel, Cloudflare, Dodo Payments, Hugging Face, model providers) unless they directly and demonstrably affect Aquin Labs accounts or data
- Social engineering, phishing, or physical attacks against Aquin Labs staff or users
- Denial-of-service attacks or automated scanning that degrades service for other users
- Issues in user-owned local environments, custom model weights, or third-party Hugging Face repositories
- Missing security headers or best-practice hardening with no demonstrated exploit
- Bugs in open source dependencies without a working proof of concept against Aquin
how to report
Email security@aquin.app with as much detail as possible. If you cannot reach that address, use aquin@aquin.app and mark the subject line "Security Report".
Please include:
- A clear description of the issue and its potential impact
- Steps to reproduce, including URLs, endpoints, or CLI commands
- Proof of concept, screenshots, or logs where available
- Your contact information for follow-up
Do not include live exploitation against production accounts you do not own. Use test accounts where possible.
responsible testing
When investigating a potential issue:
- Do not access, modify, or delete data belonging to other users
- Do not disrupt Aquin services for other customers
- Do not publicly disclose the issue before we have had a reasonable chance to fix it
- Follow our Acceptable Use Policy
Aquin Labs supports good-faith security research conducted within these boundaries. We will not pursue legal action against researchers who report issues responsibly and in accordance with this policy.
what to expect
We aim to acknowledge reports within 3 business days. We will work to validate, prioritize, and remediate confirmed issues as quickly as practicable. We may request additional information and will keep you informed of material status changes when appropriate.
Aquin Labs does not currently operate a paid bug bounty program. We may, at our discretion, recognize valuable reports with credit or other acknowledgment.
coordinated disclosure
We ask that you give us a reasonable period to investigate and remediate before any public disclosure. For most issues, we request at least 90 days unless a fix is available sooner or the issue is already public. We will work with you on disclosure timing and may publish advisories when fixes are deployed.
contact
Security reports: security@aquin.app
General inquiries: aquin@aquin.app
See also our Terms of Service and Privacy Policy.
questions? reach out to us at security@aquin.app
Work with us
Interpretability tooling, custom SAE databases, mechanistic audits, circuit reports, and hands-on research, experiments, and studies for teams of all sizes. Reach us at aquin@aquin.app
Not sure if Aquin is right for you?
Aquin
