Security & responsible disclosure

Anyma is an AI coworker with access to real tools and real data. We take that responsibility seriously, and we welcome good-faith security research.

RFC 9116 contact: /.well-known/security.txt · Last updated 2026-06-13

Reporting a vulnerability

If you believe you have found a security vulnerability in Anyma, email us. Please include enough detail to reproduce the issue — affected URL or component, steps, and impact. Encrypt sensitive details if you prefer; ask and we will share a key.

Our commitment to you

When you report in good faith, here is what you can expect from us:

We will keep you informed as we work toward a fix, and we are happy to coordinate public disclosure once the issue is resolved.

Safe harbor

We will not pursue or support legal action against researchers who, in good faith, follow this policy. Activity conducted consistent with this policy is considered authorized, and we consider it a valuable contribution. If a third party brings legal action against you for work done under this policy, we will make it clear that your actions were authorized.

Scope & ground rules

• Test only against accounts and data you own or have explicit permission to access.
• Do not access, modify, or destroy other customers' data; stop at proof of concept.
• Do not run denial-of-service, spam, or social-engineering attacks against our staff or customers.
• Give us reasonable time to remediate before any public disclosure.

Out of scope

• Reports from automated scanners without a demonstrated, exploitable impact.
• Missing best-practice headers or TLS configuration with no concrete exploit.
• Findings affecting only unsupported browsers or out-of-date software.
• Vulnerabilities in third-party integrations not operated by Anyma.

Rewards

This is an unpaid responsible-disclosure program: we offer recognition and our thanks, not monetary bounties. A paid bug-bounty program may follow later as a separate decision.