Responsible Disclosure

Last Updated: May 15, 2026

01 | Our Commitment

Security is foundational to Replicas. We run untrusted code on behalf of our users and store sensitive credentials, so we take security reports seriously and treat the researchers who send them as partners. If you believe you have found a security vulnerability in any Replicas product or service, we want to hear from you.

This policy describes how to report a vulnerability to us, what is in scope, and what you can expect from our team in return. It applies to all customer-facing products operated by Replicas Group Inc., including tryreplicas.com, docs.tryreplicas.com, and our public APIs.

02 | How to Report

Send security reports to founders@replicas.dev. Please include enough information for us to reproduce and assess the issue:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions, including any required accounts, URLs, or payloads
  • Proof-of-concept code, screenshots, or video where helpful
  • Your name or handle if you would like to be credited (optional)

03 | What You Can Expect

When you submit a report in good faith, we will:

  • Acknowledge receipt within 3 business days
  • Provide an initial assessment and severity triage within 10 business days
  • Keep you updated on remediation progress for valid findings
  • Notify you when the issue is fixed and, with your permission, publicly credit you
  • Not pursue legal action against you for research conducted within the rules of this policy

04 | Scope

In Scope

  • The Replicas web application at tryreplicas.com and app.tryreplicas.com
  • The Replicas public API at api.tryreplicas.com and documented endpoints
  • The Replicas CLI and SDKs distributed by Replicas Group Inc.
  • Workspace sandbox isolation and credential handling
  • Authentication, authorization, and session management

Out of Scope

The following are generally not eligible for a security report under this policy:

  • Findings from automated scanners without a demonstrated, exploitable impact
  • Denial of service, volumetric, or resource-exhaustion attacks
  • Social engineering of Replicas employees, contractors, or customers
  • Physical attacks against Replicas property or data centers
  • Issues in third-party services or infrastructure we do not control (e.g., upstream providers such as AWS, Daytona, Supabase, Vercel, Stripe) — please report those to the relevant vendor
  • Missing security headers, cookie flags, or TLS configuration issues without a concrete exploitation path
  • Self-XSS, clickjacking on pages without sensitive actions, and CSRF on unauthenticated endpoints
  • Email spoofing, SPF/DKIM/DMARC issues, and rate-limiting on non-sensitive endpoints
  • Vulnerabilities affecting only outdated or unpatched browsers, operating systems, or platforms
  • Disclosure of public information or information that does not present a security risk

05 | Rules of Engagement

To stay within the protections of this policy, please:

  • Only test against accounts and resources you own or have explicit permission to test
  • Avoid accessing, modifying, or deleting data that is not yours; stop and report as soon as you confirm impact
  • Do not run automated scanners against our production environment without prior written approval
  • Do not perform attacks that degrade service for other users (DoS, brute force, spam, etc.)
  • Keep details of the vulnerability confidential until we have had a reasonable opportunity to remediate (we aim for 90 days)
  • Comply with all applicable laws in your jurisdiction

06 | Safe Harbor

Replicas considers security research conducted in accordance with this policy to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) and similar laws, and we will not initiate or support legal action against you for accidental, good-faith violations
  • Exempt from the anti-circumvention provisions of the DMCA, and we will not bring a claim against you for circumvention of technology controls
  • Exempt from restrictions in our Terms of Service that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized.

07 | Rewards

For valid reports of previously unknown vulnerabilities, Replicas may issue a monetary bounty at our sole discretion. Risk assessment and bounty amounts are determined on a case-by-case basis using the CVSS v3 and v4 scoring system together with our internal knowledge of the affected system. Previous bounty amounts are not to be considered precedent for future reports.

Reports that duplicate a previously reported issue, or that fall under the “Out of Scope” list in Section 04, are not eligible for a bounty.

Bounties are paid in US dollars via bank wire transfer, within 30 days of remediation being confirmed. We also publicly thank researchers who responsibly disclose valid issues (with your permission) and are happy to provide a written acknowledgement of your contribution.

08 | Contact

All security correspondence should be sent to founders@replicas.dev.

We may update this policy from time to time. The current version is always available at this URL, with the “Last Updated” date at the top reflecting the most recent change.