Security

Coordinated vulnerability disclosure for SymGraph

SymGraph supports good-faith security research that helps protect the platform, its public code, and its users. If you report an issue responsibly and follow the rules below, we will treat your work as authorized under this policy.

Safe Harbor

Good-faith research is welcome

We will not initiate legal action or suspend accounts for security research conducted in good faith, in compliance with this policy, and designed to avoid privacy violations, service disruption, or destruction of data. If you discover sensitive data unintentionally, stop testing, do not retain it, and report the issue immediately to security@symgraph.ai.

Reporting

Send reports to security@symgraph.ai

Use our public PGP key if you need encrypted communication. Include the asset, impact, reproduction steps, and enough technical detail for us to validate the issue.

Download PGP keyRecognition policy

In-scope assets

This policy covers SymGraph-operated public services and repositories. Public third-party integrations or customer-managed deployments are not in scope unless SymGraph explicitly confirms otherwise in writing.

symgraph.ai

Primary SymGraph application, public marketing pages, account flows, and platform APIs exposed from the main production domain.

console.symgraph.ai

SymGraph-operated console and administrative web surfaces intended for authenticated use by authorized users.

github.com/symgraph/*

Public SymGraph repositories linked from the website or documentation, including the desktop plugins and MCP companion servers.

Out-of-scope activity

  • Social engineering, phishing, or pretexting against SymGraph staff, contractors, users, or vendors.
  • Denial-of-service, spam, brute-force, or other load-based testing that could degrade availability.
  • Physical attacks, office intrusion, tampering with equipment, or access to private networks.
  • Destructive testing, persistence, privilege escalation chaining, or modification of production data beyond what is necessary to demonstrate impact.
  • Accessing, downloading, retaining, or sharing data that belongs to another user, organization, or tenant.
  • Testing third-party services, customer-managed deployments, or infrastructure not owned and operated by SymGraph.

Test rules

  • Use only accounts, binaries, repositories, and environments you own or are authorized to test.
  • Rate-limit requests and avoid automated activity that could impair availability, integrity, or user experience.
  • Stop once you have enough evidence to demonstrate the issue. Do not pivot to unrelated systems or attempt to establish persistence.
  • If you encounter another user's data, cease access immediately, do not copy it, and report the exposure right away.

What to include in a report

  • Affected asset, URL, repository, endpoint, or feature
  • Clear reproduction steps, prerequisites, and tooling used
  • Security impact and realistic attack scenario
  • Proof-of-concept, logs, screenshots, or code snippets as needed
  • Suggested remediation or mitigations, if you have them

Triage and disclosure timelines

We aim to acknowledge reports within 3 business days and provide an initial triage status within 7 business days. We may ask for additional validation detail during triage, and we will coordinate public disclosure timing with you after a fix or mitigation is available. Duplicate reports may not receive separate public recognition.

Privacy and data handling

We use reporter contact details only to validate, coordinate, and close security cases. Reporter personal data is retained for up to 90 days after closure unless a longer period is required for legal, accounting, abuse-prevention, or incident response obligations.

Recognition

With your permission, we may publicly thank eligible reporters on our recognition page. This policy does not create a bug bounty program or guarantee monetary rewards, swag, or other compensation.