Trust · Security

Responsible disclosure.

Last updated · 15 May 2026

Found a security issue in MLtitude? Email info@edothsoft.com. We will acknowledge within two business days and work with you in good faith. This page is the human-readable version of /.well-known/security.txt.

Scope

In scope: the MLtitude web application and any sub-domain we operate; the public API at /api/*; the marketing pages.
Out of scope:third-party services we use (Hetzner, Cloudflare, OpenAI, Google, Sentry, Stripe, Zoho). Report to them directly; we'll coordinate if helpful.
Out of scope:denial-of-service attacks, social-engineering attempts against staff, physical-security tests, and any attack against systems we don't own.

What we ask of researchers

Act in good faith. Don't access, modify, or delete data beyond what's necessary to demonstrate the issue.
Don't disclose the issue publicly until we've had a reasonable chance to remediate.
If you need to test against the live application, please use an account you control or one we provide for testing. Don't access other customers' data.
Provide enough detail for us to reproduce: URL, payload, expected vs. actual behaviour.

What we commit to

We will acknowledge your report within two business days.
We will respond with an initial triage and severity within five business days.
We will keep you informed of progress and let you know when the issue is fixed.
We will credit you publicly (with your permission) on a hall-of-fame page once the issue is closed.
We do not currently run a paid bug bounty. We may consider goodwill payments for impactful findings on a case-by-case basis.

Safe-harbour

Provided you act in good faith and within the scope above, MLtitude will not pursue legal action against you for security research. We consider research conducted under these terms to be authorised testing.

Reporting channels

Primary: info@edothsoft.com
Encrypted submission:if you'd like to send the report PGP-encrypted, request our public key from the same address.
Machine-readable: /.well-known/security.txt (RFC 9116).

What you'll need to include

A clear description of the vulnerability.
The URL, endpoint, or surface affected.
Reproduction steps, ideally with a minimal proof-of-concept.
Your assessment of impact, if you have one.
Your name or handle, if you'd like credit when the issue is closed.

For non-security questions about MLtitude's posture, see the trust center.