Security at Cognita
We're building the audit trail for AI compliance. That promise depends on operating one ourselves — so when you find something we missed, we want to hear about it.
How to report
Pick whichever channel fits the urgency. We respond to all inbound within one business day.
Email
Request a PGP key in your first email; we'll respond with the current fingerprint
security.txt
/.well-known/security.txt
Machine-readable per RFC 9116
In-app report
Settings → Security → Report a vulnerability
Authenticated reporters get a tenant-isolated thread
Scope
- cognitagrc.io, app.cognitagrc.io, trust.cognitagrc.io and any *.cognitagrc.io subdomain
- The Cognita iOS / Android apps when they ship
- The cryptographic ledger and exporter CLI in this repo (scripts/verify-ledger.ts, templates/verify-ledger.mjs)
- Connector webhook handlers — auth bypass via signature spoofing is in scope
- The Auditor Lock + Auditor Session machinery — privilege escalation across scope is the highest-priority concern
What we ask
- Don't access, modify, or delete data that isn't yours. Test on a workspace you control.
- Don't run automated scanners that trip our rate limits intentionally — coordinate first if you need to.
- Give us a reasonable window — typically 90 days — before public disclosure.
- If you accidentally hit production data, stop, tell us, and we'll work it out.
What you can expect
- Triage acknowledgement within 1 business day
- Severity assessment within 5 business days, based on CVSS v4 + customer impact
- A patch timeline you can hold us to, in writing
- Credit on the hall of fame below if you want it; anonymity if you don't
- HackerOne bounty for in-scope reports once that program opens
Hall of fame
Researchers who've helped us catch real issues. Listed with permission.
The wall is empty for now — the program just opened. Find something? You'll be the first.
Out of scope
- Self-XSS, clickjacking on pages without sensitive actions, missing rate limits on read endpoints
- Vulnerabilities in third-party services (Clerk, Stripe, Inngest, AWS) — report those upstream
- Issues requiring local access, MITM on a victim's network, or social engineering of our staff
- Security headers as a sole finding — please pair with a working exploit