Find a vulnerability? Report it before disclosing it.

We take the security of pilot5.ai and of our users' data seriously. If you believe you have found a vulnerability, please report it before disclosing it publicly. We will investigate promptly and keep you informed.

How to report

Email a description of the issue to security@pilot5.ai. If you do not receive an acknowledgement within two business days, escalate to legal@pilot5.ai.

Please include:

• A description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions.
• Any supporting artefacts — logs, proof-of-concept, screenshots — that help us triage.
• Your preferred name or handle for acknowledgement (optional).

The same contacts are published in machine-readable form at /.well-known/security.txt (RFC 9116).

Scope

In scope:

• pilot5.ai and subdomains we operate (mcp.pilot5.ai, api.pilot5.ai, staging-api.pilot5.ai, accounts.pilot5.ai).
• The Pilot5 MCP server at https://mcp.pilot5.ai/mcp.
• Authentication and authorization flows (Clerk-backed OAuth 2.1).
• Credit accounting, billing, and payment handling.
• Data isolation between user accounts.

Out of scope:

• Third-party services we depend on (Clerk, Supabase, Stripe, Railway, Vercel, OpenRouter, and upstream LLM providers). Report those directly to the relevant vendor.
• Denial-of-service testing without prior written agreement.
• Reports based solely on missing security headers with no demonstrable exploitability.
• Social engineering of our staff, suppliers, or users.
• Physical attacks against our infrastructure or personnel.

Our commitments

• Acknowledge receipt within two business days.
• Provide a triage decision (valid, duplicate, out-of-scope) within five business days.
• Keep you informed of remediation progress on a reasonable cadence.
• Credit reporters in any post-mortem or release note, with their consent.
• Not pursue legal action against researchers who act in good faith, stay within scope, and do not violate applicable law.

Coordinated disclosure

We ask that you give us a reasonable period to remediate before public disclosure — typically 90 days from our acknowledgement, shorter if the issue is already being exploited in the wild. We are happy to coordinate disclosure timing and wording with you.

Related

• Privacy Policy — data handling, retention, processors.
• Terms of Service — contractual framework.
• Data Processing Agreement — GDPR Art. 28 terms for enterprise customers.
• Legal Information — French mentions légales.
• Trust & governance hub — the full evidence story across audit-trail, sources, panels, and DPA.