Coordinated Vulnerability Disclosure Policy

Our commitment

Thinking Machines Lab is an artificial intelligence research and product company. We’re building a future where everyone has access to the knowledge and tools to make AI work for their unique needs and goals. We take the security and integrity of our systems, our users, and our models seriously, and we recognize that independent security researchers play a vital role in keeping people safe.

This policy describes how to report a security vulnerability to us, what you can expect in return, and the conditions under which we will treat your research as authorized and conducted in good faith. We welcome reports from the research community and are committed to working with you to verify, remediate, and responsibly disclose the issues you find.

If you believe you have found a vulnerability, please report it to us using the process below. We will not pursue or support legal action against researchers who act solely for the purpose of security testing, in good faith, and in accordance with this policy.

Please note that we do not operate a bug bounty program and do not offer monetary rewards or compensation of any kind for vulnerability reports.

Safe harbor

When you conduct security research and vulnerability disclosure in good faith and in compliance with this policy, we consider that research to be authorized, and we will:

  • Not pursue or support any legal action against you for accidental, good-faith violations of this policy, including under the Computer Fraud and Abuse Act or the anti-circumvention provisions of the Digital Millennium Copyright Act;
  • Waive any restrictions in our Terms of Service or Acceptable Use Policy that would otherwise prohibit the security disclosure process described here, to the limited extent necessary to disclose issues; and
  • If a third party initiates legal action against you for activities conducted in accordance with this policy, take reasonable steps to make it known that your actions were authorized under this policy.

Good faith means: complying with this policy, making a genuine effort to avoid harm to people, data, and service availability, and giving us a reasonable opportunity to resolve the issue before disclosing it publicly. Good faith does not include efforts that knowingly accept risk of harm to people. If at any point you are uncertain whether a specific action is consistent with this policy, pause and ask us first at [email protected].

This safe harbor does not authorize action inconsistent with the Guidelines below, and does not apply to activity that violates applicable law independent of this policy.

Guidelines for researchers

To stay within scope and within the safe harbor, please:

  • Minimize harm. Access, modify, exfiltrate, or store only the minimum data necessary to demonstrate a vulnerability. The moment you encounter personal data, credentials, or other sensitive information, stop, do not save it, and report it.
  • Keep findings confidential until we have agreed on coordinated disclosure.
  • Submit one vulnerability per report where practical, with enough detail for us to reproduce it.
  • Comply with all applicable laws and with any data-protection obligations relevant to information you encounter.
  • Use only your own account or accounts you have written consent to use for these purposes.

Scope

This policy applies to security vulnerabilities in Thinking Machines Lab’s systems, services, and infrastructure. It covers technical flaws that could compromise the confidentiality, integrity, or availability of those systems.

This policy does not cover model safety issues. If you wish to raise a safety concern, please contact us at [email protected] rather than using the reporting process below.

The following are also generally out of scope:

  • Findings from automated scanners without a demonstrated, exploitable impact
  • Denial-of-service testing, volumetric attacks, or resource-exhaustion techniques
  • Social engineering, phishing, or physical attacks against our staff, users, or facilities
  • Reports affecting only unsupported or end-of-life systems, browsers, or software
  • Third-party services or platforms we do not own or control

How to report

  1. Email your report to [email protected].
  2. Encrypt any sensitive details using our PGP key: [4FA9 136F 8F68 DDFD 1E78 6EBE CB0B 7A1E 3028 4CB4], available at https://thinkingmachines.ai/.well-known/pgp-key.txt.
  3. Please include:
    • A clear summary of the issue and its potential impact
    • The affected asset(s): URL, endpoint, parameter, app version, or feature
    • The vulnerability type
    • Step-by-step reproduction instructions
    • Any suggested remediation, if you have one
    • Your contact details