AERIOXBack to Studio
Security

Responsible Disclosure

How to report security vulnerabilities to AERIOX. Last updated: April 20, 2026.

Overview

AERIOX welcomes reports of security vulnerabilities affecting our platforms. We view the security research community as a partner in keeping our users safe. This page describes how to report issues responsibly and what to expect from us in return.

How to report

Email security@aeriox.co with:

  • A clear description of the vulnerability and where it lives (URL or component)
  • Reproduction steps detailed enough for us to verify the issue
  • Impact assessment (what an attacker could achieve)
  • Optional: a suggested mitigation

For sensitive disclosures, request our PGP key in your initial email and we will provide one for follow-up correspondence.

Our commitment

  • Acknowledgment within 72 hours of report receipt
  • Status update within 7 calendar days with our initial assessment
  • Regular communication throughout remediation
  • Public credit on this page (with your permission) once a fix is deployed

We do not currently operate a paid bug bounty program but plan to introduce one post-launch. Researchers who follow this policy and disclose responsibly will not face legal action from AERIOX.

Scope

The following AERIOX-operated assets are in scope:

  • create.aeriox.co and all subdomains
  • aeriox.co and all subdomains
  • The AERIOX public API
  • AERIOX-operated mobile and desktop applications
  • AERIOX infrastructure (Vercel, Supabase, Cloudflare R2 — to the extent we control configuration)

Out of scope

The following do not qualify as security vulnerabilities for purposes of this policy:

  • Social engineering of AERIOX staff or contractors
  • Denial-of-service attacks (volumetric, application-layer, or otherwise)
  • Physical attacks on AERIOX offices or staff
  • Automated scanner output without proof of exploitability
  • Reports of missing security headers without an associated impact
  • Best-practice deviations that do not have a working exploit (e.g. "you should use stricter cookies")
  • Vulnerabilities in third-party dependencies that we cannot remediate independently of upstream patches
  • Issues in services not operated by AERIOX (Stripe, FAL.ai, ElevenLabs, Anthropic, OpenAI, etc. — please report those to the respective vendor)

Safe-harbor practices

To stay within the spirit of responsible disclosure, please:

  • Use only your own AERIOX account or accounts you own to test
  • Do not access, modify, or delete data belonging to other users
  • Do not pivot to internal AERIOX systems or downstream services
  • Do not exfiltrate more data than necessary to demonstrate the issue
  • Do not publicly disclose the issue until we confirm it is remediated and we have agreed on a coordinated disclosure timeline

Researchers acting in good faith and following this policy will not face legal action from AERIOX, and we will work with you in good faith.

Hall of fame

Researchers who report valid vulnerabilities are credited here (with their permission) once a fix ships.

No reports yet — be the first.

Machine-readable contact

Per RFC 9116, our security disclosure metadata is also published at /.well-known/security.txt. Automated tooling and bug bounty platforms can fetch that file directly.