Skip to content
Sonora Sonora Documentation

Vulnerability disclosure program

Sonora works with security researchers who report vulnerabilities responsibly. This page is the rules of the road: how to reach us, what’s in and out of scope, what protections we offer in return, and what you can expect from us once a report is in.

Machine-readable contact info lives at /.well-known/security.txt (RFC 9116).

How to report

Section titled “How to report”

Email security@usesonora.com. For sensitive findings, ask for a Signal number in your first message — we’ll send one before you share specifics.

Include:

  • A clear description of the issue and its impact
  • Steps to reproduce
  • Affected URL, endpoint, or component
  • Proof-of-concept code or screenshots, if available
  • How you’d like to be contacted for follow-up

Scope

Section titled “Scope”

In scope

  • usesonora.com and its subdomains
  • Sonora’s web application and public APIs
  • Tenant isolation — any flaw that lets one workspace read or modify another’s data
  • LLM features — prompt injection or data exfiltration in chat, summarization, or agents that crosses a trust boundary. The canonical example: an attacker-controlled meeting transcript causing the agent to leak another tenant’s data or take an unauthorized action. We ask for at least 50% reproducibility on a fresh session.

Out of scope

  • Third-party services Sonora integrates with — report those to the vendor
  • Social engineering or phishing of Sonora staff, contractors, or customers
  • Physical attacks against Sonora offices or staff
  • Denial-of-service or volumetric testing
  • Dependency vulnerabilities already disclosed and patched upstream
  • Automated scanner output without a working proof-of-concept
  • Missing best-practice headers or cookie flags without a demonstrated impact
  • Model output quality, factuality, or jailbreaks that produce off-policy text without a security or cross-tenant data impact — send those to support@usesonora.com

Rules of engagement

Section titled “Rules of engagement”
  • Test only against accounts you own or have explicit permission to test
  • Do not access, modify, or destroy customer data
  • Do not exfiltrate data beyond the minimum needed to demonstrate the issue
  • Securely delete any Sonora or customer data you accessed during testing once your report is filed; confirm deletion in writing if asked
  • Stop testing as soon as you confirm a vulnerability, and report it promptly
  • Give us a reasonable window to remediate before public disclosure — 90 days from acknowledgment by default, sooner by mutual agreement, longer if active exploitation requires it. Once a fix ships we publish an advisory and, with your permission, credit you.

Safe harbor

Section titled “Safe harbor”

If you make a good-faith effort to follow this policy:

  • We consider your research to be authorized access under the Computer Fraud and Abuse Act (and analogous state computer-crime laws) and authorized circumvention under DMCA §1201 anti-circumvention provisions.
  • We will not bring or support a legal claim against you for that research. If a third party does, we’ll make your authorization known.
  • Good faith is determined by mutual reference to industry-standard practice (for example, disclose.io Core Terms). Once safe harbor applies to specific research, we won’t withdraw it retroactively.
  • We can’t bind third parties — assume systems we integrate with are not covered, and report issues there to the relevant vendor.

What to expect from us

Section titled “What to expect from us”
  • Acknowledgment within 3 business days
  • Initial triage within 5 business days
  • Status updates at least every 14 days until resolution
  • Resolution timing depends on severity and complexity

Recognition

Section titled “Recognition”

Sonora does not currently pay bounties. With your permission, we credit reporters in our security advisories after the issue is resolved.