Coordinated vulnerability disclosure
If you discover a security issue in the Lupid runtime, the policy plane, the endpoint shield daemon, or this website, please report it directly. We follow coordinated disclosure: we ask for time to remediate before public release and we credit you when the fix ships.
How to report
- Email [email protected] for the fastest path. PGP key fingerprint and public block are linked in /.well-known/security.txt per RFC 9116.
- For source-code level issues, open a private security advisory on the repository at github.com/LupidAI using GitHub's "Report a vulnerability" workflow.
- Please do not file public GitHub issues, public tweets, or social-media posts before we've had time to respond.
Our response timeline
- Acknowledge: within 24 hours of receipt.
- Initial assessment: within 5 business days, including severity classification and rough remediation timeline.
- Fix and disclosure: targeted at 90 days from initial report. We can extend if a fix is structurally hard; we will not extend silently.
- Credit: by name (or pseudonym) in the public advisory and in our brief at /blog/, unless you ask otherwise.
Scope
- In scope: the runtime gateway, policy plane, endpoint shield daemon, official client SDKs, this website (lupid.ai), and any subdomain.
- Out of scope: third-party services we link to, automated scanner output without a working proof of concept, denial-of-service findings against our public site, social engineering of staff.
Safe harbor
If you act in good faith — make a reasonable effort to avoid disrupting our services, do not access more data than necessary to demonstrate the issue, and follow this disclosure policy — we will not pursue legal action. You are authorized to investigate, exploit, and demonstrate the vulnerability for the purpose of writing a clear report.
Transparency is the trust signal
Most early-stage security vendors paper over the absence of formal certification with logos and "in progress" badges. We don't. Here is what we do have, and how to verify each claim yourself.
Every line is public.
The runtime, the policy plane, the gateway, and the endpoint shield daemon are Apache 2.0 on github.com/LupidAI. You can read what we ship, audit what changes, and pin any commit you want.
Our own runtime watches itself.
Lupid's audit ledger is the canonical record of every privileged action — including ones we take. The same hash-chained record we ship to customers is the one our team writes against.
Self-host by default.
Lupid is designed to run inside your cluster. The runtime never phones home; agent data, policies, and audit records stay on your infrastructure. There is no managed-data offering today, so there is no customer data we could leak.
What we don't yet claim.
We are not SOC 2 Type II audited. We are not ISO 27001 certified. We are not FedRAMP authorized. When that changes, this page will say so with the auditor's name and report date — never as an "in progress" badge.
This website's security posture
Lupid.ai is a static site served by Cloudflare's edge. The threat surface is small but worth being explicit about.
- HTTPS-only with HSTS enabled (
max-age=31536000; includeSubDomains; preload). HTTP requests are 301'd to HTTPS at the edge. - CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy are set in
_headers. Verifiable independently at securityheaders.com. - No tracking beyond Google Analytics 4 (page views, scroll, outbound clicks). No retargeting pixels, no session replay, no third-party advertising scripts.
- Cookies: only the GA4 cookies (
_ga,_ga_*). See /privacy/. - No login, no account system, no sensitive form posts. The contact page embeds a Google Calendar booking iframe; no PII is collected on this domain.
Reach us
- Security disclosures: [email protected]
- RFC 9116 metadata: /.well-known/security.txt
- General team contact: [email protected]
- Source: github.com/LupidAI
See how the runtime catches each attack class.
Step-by-step CVE walkthroughs in The Lupid Brief — EchoLeak, CurXecute, Trust Issues, browser agents, MINJA-shaped memory poisoning.