AuthPI builds identity infrastructure. Security researchers who report vulnerabilities to us responsibly make that infrastructure better, and this policy exists so you know exactly how to reach us, what to expect, and what we commit to in return.
If you believe you have found a security vulnerability in an AuthPI service, we want to hear from you.
How to report
Email security@authpi.com with:
- A description of the vulnerability and its potential impact.
- Steps to reproduce it — a proof of concept, request/response captures, or a script is ideal.
- The domain, endpoint, or component affected.
- Any accounts, issuer IDs, or identifiers involved in your testing, so we can trace activity in our logs.
You can write to us in English or French. We do not require a PGP-encrypted report; if your finding is especially sensitive, say so in a first email without details and we will arrange a secure channel.
Our machine-readable disclosure information is published at /.well-known/security.txt per RFC 9116.
What to expect from us
- Acknowledgment within 48 hours. A human confirms we received your report.
- Triage within 5 business days. We tell you whether we can reproduce the issue, how we assess its severity, and what happens next.
- Progress updates at reasonable intervals until the issue is resolved, and a heads-up when a fix ships.
Reports are triaged by AuthPI’s founding engineering team, who own the affected systems directly — there is no intermediary between your report and the people who can fix it.
Scope
The following services are in scope:
| Domain | Service |
|---|---|
api.authpi.com | Core API |
idp.authpi.com | Identity provider (hosted sign-in, OIDC endpoints) |
console.authpi.com | Dashboard |
authpi.com | Website and documentation |
We are most interested in vulnerabilities with real security impact on an identity platform: authentication or authorization bypass, cross-tenant data access, token or session forgery, credential exposure, and injection attacks.
Out of scope
- Denial-of-service or volumetric attacks, and any testing that degrades service for others.
- Social engineering, phishing, or physical attacks against AuthPI or its users.
- Reports from automated scanners without a demonstrated, exploitable impact.
- Missing security headers, SPF/DKIM/DMARC configuration notes, or version disclosure without a working exploit path.
- Rate-limiting observations without demonstrated security impact.
- Third-party services we link to but do not operate.
If you are unsure whether something is in scope, ask first at the same address.
Ground rules and safe harbor
When testing, use only accounts and issuers you created yourself. Do not access, modify, or delete data belonging to other users or customers — if a vulnerability exposes someone else’s data, stop at the minimum needed to demonstrate the issue and report it immediately. Do not exfiltrate data, pivot deeper into our infrastructure, or degrade the service.
In return: we will not initiate legal action against researchers who make a good-faith effort to follow this policy. We consider security research conducted under these rules to be authorized, and if a third party raises a legal question about your research, we will make it known that your actions were conducted in compliance with this policy.
Disclosure
We ask that you give us a reasonable window to fix the issue before any public disclosure — 90 days from your report, or a timeline we agree on together for issues that need coordination. We are happy to coordinate disclosure timing and content with you.
Questions about this policy: security@authpi.com. For privacy matters, see our privacy policy; for how AuthPI is built, see the security overview.