// Security

Reporting a vulnerability

If you believe you've found a security vulnerability in ctoai.live, the ctoailive CLI, or any related service, please email security@ctoai.live. We acknowledge reports within 48 hours and aim to triage within 5 business days.

What to include

• A short description of the issue and its impact
• A reproduction (commands, URLs, payloads) we can run in a test account
• Your contact and, optionally, a name for public acknowledgement

Scope

• ctoai.live and all subdomains
• The ctoailive npm package
• Our Render-hosted grapher service
• GitHub App permissions and webhook handlers

Out of scope

• Denial-of-service attacks or volumetric testing
• Social engineering of CTO.ai staff or customers
• Physical attacks
• Issues requiring a privileged account we did not issue

Safe harbor

Good-faith research conducted within the scope above will not result in legal action from us. If in doubt, email first and we'll coordinate.