WARRANT
[email protected] Open the demo →
SECURITY POLICY · COORDINATED DISCLOSURE · RFC 9116
UPDATED 2026-05-08 · WARRANT TRUST

a fast lane and safe-harbor cover for security research.

Warrant ships records mapped to specific EU AI Act obligations, each independently verifiable without contacting Warrant, to regulated buyers. Findings get triaged on a published clock; good-faith research has explicit safe-harbor cover. The terms below set scope, targets, and what counts as good-faith.

REPORTING
[email protected]
One issue per email · include reproduction steps and the affected endpoint.
INITIAL TRIAGE
5 business days
From receipt · status update at 14 days · fix or detailed plan at 90 days.
SAFE HARBOR
In-scope · good-faith
No legal action for testing within the published scope. Do not exfiltrate user data.
01 · reporting security issues

send findings to a single inbox.

Send findings to [email protected]. One issue per email. Include reproduction steps, the affected endpoint, and any artefact (request, payload, screenshot) that helps a triager land on the same fault path.

PGP fingerprint: PGP key publication pending. Until the fingerprint lands here, send unencrypted reports and avoid embedding raw victim data.

02 · scope

what we will defend; what we will not.

In-scope:

  • api.warrant.build/attest · the endpoint that ingests a trace and issues the record
  • api.warrant.build/healthz · health probe
  • www.warrant.build/verify · the check that confirms a record is intact, run in the browser without contacting Warrant
  • The attestation record itself: a record mapped to a specific EU AI Act obligation that anyone can confirm is tamper-evident and independently verifiable

Out of scope:

  • Third-party dependencies (Anthropic, Render, Cloudflare Pages, Supabase, and the independent timestamping service that makes a record verifiable without contacting Warrant) · report to those vendors directly
  • Denial-of-service against demo endpoints
  • Social engineering of staff
  • Physical security of staff devices, residences, or office space
03 · safe harbor

good-faith research is welcome.

We commit to not pursuing legal action against good-faith research conducted within this scope. Test only with attestations you control. Do not access data you do not own, and do not exfiltrate or persist user data you encounter incidentally · purge it and tell us where the leak was.

04 · response targets

a published clock the regulator can read.

Initial triage
5 business days from receipt
Status update
14 days from triage
Fix or detailed plan
90 days from triage

A status update is a status update; it may say "still investigating" with a reason. A 90-day plan is allowed to be a plan, not a fix, when the work warrants the time.

05 · disclosure

coordinated by default; CVE where it earns one.

Coordinated disclosure preferred. Default 90-day clock from triage; we will negotiate earlier or later release with the reporter. CVE assignment via GitHub Security Advisories where the finding has a CVSS ≥ 4.0 or affects a published artefact.

06 · what we do not do

no paid bounty. no engagement with templated solicitations.

Warrant does not operate a monetary bug bounty. Acknowledgment for confirmed valid findings is by name on this page, not by payment. We say so plainly because we receive a steady stream of templated outreach that asks about a bounty before any specific finding is named.

We do not respond to reports that withhold reproduction details until a payment promise. The first email must contain the affected endpoint, the steps to reproduce, the observed behaviour, and the expected behaviour. Reports that read "a potential security finding was identified, full details on acknowledgment" are filtered.

We do not engage with template / beg-bounty solicitations. If the email could be sent unchanged to any startup with a public website, it does not warrant a reply.

We do not acknowledge automated-scanner output unless a human analyst has confirmed exploitability. Missing security headers, banner / version disclosure, SPF / DMARC posture, and rate-limit edge cases without an exploit chain are out of scope per the security.txt linked below.

07 · acknowledgments

named here, not paid here.

This section records the names of researchers whose confirmed findings have been triaged, fixed, and disclosed. Empty as of 2026-05-11. Future entries will list reporter, date of acknowledgment, CVE if assigned, and a one-line description of the finding.

This policy is mirrored at /.well-known/security.txt per RFC 9116 and at the repository root in SECURITY.md. The canonical record is the security.txt file; this page is the human-readable companion.