Responsible Disclosure Policy

The security of our systems and user data is our top priority. We appreciate the work of security researchers acting in good faith to identify and report potential vulnerabilities. This policy describes how to report vulnerabilities, what to expect from us, and the protections we offer in return.

This policy covers all internet-facing systems, applications, and websites owned or operated by Autono Labs, Inc. (operator of the System2 service), including the system2.sh domain and related subdomains.

This policy does not cover third-party services, even when accessible through our platform. Please follow those providers’ own disclosure policies.

We are interested in technical vulnerabilities such as:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• SQL injection
• Authentication or authorisation bypasses
• Privilege escalation
• Server-side request forgery (SSRF)
• Remote code execution
• Significant misconfigurations

• General security best-practice findings without a working proof-of-concept
• Rate limiting or brute-force on unauthenticated endpoints
• Denial of service attacks
• Social engineering (including phishing)
• Physical attacks
• Clickjacking on pages with no sensitive actions
• Missing cookie flags (HttpOnly, Secure)
• Widely publicised zero-day vulnerabilities with patches available for fewer than 30 days
• AI model jailbreaks or prompt injection (report these to security@autono.sh separately)

Email your findings to security@autono.sh. Please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce, including URLs and parameters
• Proof-of-concept code, screenshots, or screen recordings
• Your recommended fix, if any

Submit one vulnerability per report. The more detail you provide, the faster we can investigate and respond.

When conducting security research, please:

• Test only for the purpose of identifying and reporting vulnerabilities
• Avoid accessing, modifying, or deleting data that is not your own
• Do not disrupt our services or degrade the experience for other users
• Do not exploit a vulnerability beyond what is minimally needed to prove it exists
• Coordinate disclosure timing with us before publishing
• Do not require payment as a condition of disclosure

• We will acknowledge your report within 3 business days
• We will investigate promptly and keep you informed of progress
• If you wish, we will credit you publicly when disclosing a fix
• We will not share your personal information without your consent unless required by law

If you make a good-faith effort to discover and report vulnerabilities in accordance with this policy, we will not pursue legal action against you. This safe harbour applies provided your disclosure is unconditional and does not involve extortion or threats.

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. Vulnerabilities disclosed before an update remain subject to the policy in effect at the time of disclosure.