← Policies

Bug Bounty Program

Introduction

At Sycamore Labs, Inc. (“Sycamore”, “we”, “us”, or “our”), security is foundational to our mission of building trusted, enterprise-grade AI systems.

We value the work of the security research community and welcome responsible disclosure of vulnerabilities. This Bug Bounty Program outlines how to report vulnerabilities, the scope of eligible systems, and the expectations for participating in this program.

Program Overview

This program is intended to encourage responsible security research and coordinated disclosure.

If you believe you have discovered a vulnerability in our systems, we ask that you report it to us in accordance with this policy so we can investigate and address it promptly.

Scope

In Scope

Sycamore Platform (including “Sycamore Forge”)

  • Web applications and API endpoints
  • Authentication and authorization systems
  • Tenant isolation, sandboxing, and agent execution environments
  • Data storage, processing, and observability systems

Infrastructure

  • Cloud infrastructure and configurations
  • Network security controls
  • Containerization and sandbox escape vulnerabilities

Out of Scope

The following are not eligible under this program:

  • Third-party services, integrations, or dependencies not controlled by Sycamore
  • Social engineering (e.g., phishing, pretexting)
  • Physical security vulnerabilities
  • Denial of Service (DoS/DDoS) attacks or traffic flooding
  • Spam, content injection, or UI issues without a demonstrated security impact
  • Vulnerabilities requiring outdated or unsupported browsers, libraries, or platforms
  • Self-XSS or issues affecting only your own account without broader impact

Vulnerability Categories

We prioritize the following classes of vulnerabilities:

Critical

  • Remote code execution (RCE)
  • SQL injection or equivalent injection flaws
  • Authentication or authorization bypass
  • Sandbox or container escape
  • Privilege escalation across tenants or roles

High

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Insecure direct object references (IDOR)
  • Server-side request forgery (SSRF)
  • Exposure of sensitive data

Medium

  • Information disclosure
  • Security misconfigurations
  • Weak or improper cryptographic practices

Low

  • Best practice violations
  • Minor information leaks without meaningful impact

Reporting Guidelines

How to Report

Submit all vulnerability reports to: engg-team@sycamore.so

What to Include

To help us triage quickly, please include:

Vulnerability Description

  • Clear explanation of the issue
  • Severity assessment
  • Potential impact

Steps to Reproduce

  • Detailed, step-by-step instructions
  • Proof of concept (PoC), code, or screenshots
  • Environment details (browser, OS, etc.)

Affected Components

  • URLs, endpoints, APIs, or features
  • Any relevant configuration or version details

Optional: Suggested Remediation

  • If you have recommendations, feel free to include them

Example Report

Subject: [Security] [Severity] Brief Description

Vulnerability Type: [e.g., XSS, SQLi]
Severity: [Critical/High/Medium/Low]
Affected Component: [URL or feature]

Description:
[Details]

Steps to Reproduce:
1. ...
2. ...

Impact:
[What could happen]

Proof of Concept:
[Code/screenshots]

Suggested Fix:
[Optional]

Rules of Engagement

You agree to:

  • Report vulnerabilities promptly and responsibly
  • Use only accounts and data you are authorized to access
  • Avoid accessing, modifying, or exfiltrating data belonging to others
  • Minimize impact to systems and users during testing
  • Provide reasonable time for remediation before public disclosure

You must not:

  • Access or attempt to access data that does not belong to you
  • Disrupt, degrade, or impair our services
  • Conduct denial-of-service or resource exhaustion attacks
  • Use social engineering against Sycamore employees or customers
  • Publicly disclose vulnerabilities before we have resolved them
  • Violate any applicable laws or regulations

Rewards and Recognition

We are currently formalizing our reward structure.

For valid and responsibly disclosed vulnerabilities, we may provide:

  • Acknowledgment in our security hall of fame (with your consent)
  • Direct collaboration with our engineering team
  • Recognition for your contribution

Reward amounts and eligibility criteria may be introduced or updated at our discretion.

Response Timeline

We aim to respond promptly:

  • Initial response: within 48 hours
  • Status update: within 5 business days

Target remediation timelines:

  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 60 days

Actual timelines may vary depending on complexity and impact.

Safe Harbor

If you conduct security research in good faith and in accordance with this policy:

  • We will not pursue legal action against you
  • We will consider your research authorized
  • We will work with you to understand and remediate the issue

This safe harbor applies only to activities consistent with this policy and does not extend to actions that violate applicable laws or compromise user data beyond what is necessary to demonstrate the vulnerability.

Confidentiality

You agree not to publicly disclose any vulnerability without prior written approval from Sycamore.

We commit to working with you to coordinate responsible disclosure when appropriate.

Relationship to Terms

This program does not grant permission to test systems outside the defined scope or to violate our Terms of Use. All participation must comply with applicable laws and our Terms.

Updates to this Program

We may update or modify this Bug Bounty Program at any time.

Continued participation after updates constitutes acceptance of the revised policy.

Contact

For all vulnerability reports and program inquiries: