Reporting a security issue

If you've found a security issue in ADO Pilot, we want to hear from you and we'll work with you in good faith to fix it. This page describes the scope, how to report, what to expect, and the safe-harbor commitments we make to good-faith researchers.

Scope

In scope:

• Authentication or authorization bypasses against the ADO Pilot backend, admin portal, onboarding wizard, or marketplace extension.
• Cross-tenant data access — any way to read, write, or infer another customer's data.
• Credential disclosure — any path that leaks tenant credentials, JWT signing material, or KEK/DEK contents.
• Server-side injection (SQL/NoSQL, command, server-side template, server-side request forgery).
• Sensitive data exposure in logs, telemetry, or HTTP responses.
• Webhook authentication weaknesses.
• Vulnerabilities in our published Azure DevOps marketplace extension that affect customer orgs.

Out of scope:

• Findings against third-party services we depend on (Azure, Anthropic, Stripe). Report those directly to the vendor.
• Volumetric denial-of-service against the production environment. We accept reports describing a DoS condition; we do not accept active flooding tests.
• Social engineering of ADO Pilot staff or customers.
• Issues that require a malicious extension already installed in the customer's Azure DevOps org with broader scopes than ADO Pilot itself uses.
• Missing security headers on marketing pages with no authenticated content.
• Self-XSS and clickjacking on pages without sensitive actions.
• Best-practice deviations without a demonstrated impact.

How to report

Email security@adopilot.dev. Encrypt sensitive details with our PGP key — request the current key by emailing the same address with the subject line PGP key request; we'll reply with the public key and fingerprint.

Please include:

• A clear description of the vulnerability and where it lives.
• Steps to reproduce, ideally with a minimal proof of concept.
• The impact you believe it has — what an attacker could read, write, or escalate to.
• Any tenant or account identifiers you used during testing, so we can scope cleanup.
• Your preferred contact and whether you want public credit when we publish a fix.

One issue per report keeps tracking clean.

What to expect

• Acknowledgement within 1 business day of receipt.
• Triage and severity assessment within 5 business days, with an initial remediation timeline.
• Status updates at least weekly while the issue is open.
• Coordinated disclosure. We aim to publish an advisory within 90 days of the report. If we need more time we'll tell you why; if you need to disclose sooner we'll work with you to make that safe.
• Credit, if you want it. With your permission we'll name you in the advisory and on a researchers acknowledgements page once the fix ships.

Safe harbor

If you make a good-faith effort to follow this policy, ADO Pilot will:

• Not pursue or support legal action against you for the research, including under the Computer Fraud and Abuse Act, the UK Computer Misuse Act, or analogous statutes in other jurisdictions.
• Treat the research as authorized under our terms of service.
• Work with you to understand and resolve the issue quickly.

Good-faith research means: only testing against accounts you control or have explicit permission to test against; not accessing, modifying, or destroying other customers' data; not running active denial-of-service; stopping and reporting as soon as you've established impact, rather than escalating.

If you're unsure whether something is in scope or whether your planned testing crosses a line, email us before you test.

What this page is not

We don't run a paid bug bounty program at this time. We do welcome reports and acknowledge researchers publicly with consent.

For non-security issues — billing, integration help, or product questions — use support@adopilot.dev.