Home Features Pricing Docs Blog About Contact Client Login View Pricing
Security

Security Disclosure Policy

We take security seriously. If you've found a vulnerability, we want to hear from you.

Responsible Disclosure

We believe that responsible disclosure of security vulnerabilities is essential to keeping our platform and our clients safe. If you have discovered a security issue in the Prometheus AI platform, agent, or API, we encourage you to report it to us privately so we can address it before it is publicly disclosed.

How to Report

Send your report to [email protected]. Please include:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce the issue, including any tools, scripts, or payloads used.
  • The affected component (platform, agent, API endpoint, web portal, admin dashboard).
  • Your assessment of severity (critical, high, medium, low).
  • Any suggested remediation, if applicable.

If you would like to encrypt your report, contact us for our PGP public key.

Scope

The following components are in scope for security research:

  • Platform API: All endpoints under /api/v2/, /api/agent/, and /api/portal/.
  • Agent Software: The Prometheus agent package, including collectors, response executor, queue, sender, and updater.
  • Web Applications: The marketing site, Client Portal (/portal/), and Admin Dashboard (/admin/).
  • Authentication Systems: HMAC signing, session authentication, API key management, and enrollment token flow.
  • ML Pipeline: Model training, shadow scoring, promotion logic, and feature extraction.

Out of Scope

The following are out of scope and should not be tested:

  • Denial of service (DoS/DDoS) attacks against production infrastructure.
  • Social engineering attacks against RocketCore employees or clients.
  • Physical security assessments of our infrastructure.
  • Third-party services we use (Stripe, email providers, DNS hosting).
  • Automated vulnerability scanning that generates excessive traffic.
  • Accessing, modifying, or deleting data belonging to other clients.

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption.
  • Only interact with accounts they own or have explicit permission to test.
  • Report vulnerabilities promptly and provide reasonable time for remediation before public disclosure.
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.
  • Do not exfiltrate, store, or share client data encountered during research.

Response Timeline

48h
Initial Acknowledgment
7 days
Initial Assessment
30 days
Critical Fix Deployed
90 days
Full Remediation

We will acknowledge receipt of your report within 48 hours and provide an initial assessment within 7 days. Critical vulnerabilities will be patched within 30 days. All reported vulnerabilities will be fully remediated within 90 days. We will keep you informed of our progress throughout the process.

Recognition

We appreciate the security community's efforts in helping us keep Prometheus AI secure. With your permission, we will recognize your contribution on our Security Hall of Fame. We are also open to discussing bounty rewards for critical and high-severity findings on a case-by-case basis.

Contact

Security reports: [email protected]
General inquiries: Contact page
PGP key: Available upon request