InferiorSecurity
We take security seriously. This page describes how to report a vulnerability, what response you can expect, and what is in scope.
Report a vulnerability
Email security@inferior.ai with a description of the issue and reproduction steps. We accept reports in any language but English is fastest.
For sensitive disclosures, encrypt with our PGP key — fingerprint published at /.well-known/security.txt.
What to include
- Affected surface — service endpoint, SDK package + version, integration repo.
- Reproduction steps (smaller is faster to triage).
- Impact assessment — data exposure? RCE? credential exposure?
- Your contact info. We credit you in the public advisory unless you ask us not to.
Response SLA
| Stage | Target |
|---|---|
| Initial acknowledgement | 48 hours |
| Triage + severity decision | 7 days |
| Patch shipped (high / critical) | 14 days from triage |
| Patch shipped (medium) | 30 days from triage |
| Public advisory | Coordinated with reporter; no later than 90 days from initial report |
Scope
In scope the production API at api.inferior.ai, the SDK / CLI / MCP packages on PyPI and npm, the Claude / Codex / Gemini integrations, and this marketing site.
Out of scope findings that require physical access, social engineering of an Inferior employee, or denial-of-service against your own resources. Forks or modifications of our public integration repos are also out of scope.
Coordinated disclosure
We follow a 90-day coordinated-disclosure policy. We will publish a public advisory once a fix is available; we ask reporters not to disclose publicly before then.
Past advisories
We will list resolved advisories here once any are published.