Skip to content

Responsible Disclosure

We're pre-seed and don't pay cash bounties — yet. What we do offer: 48-hour acknowledgment SLA, CVE issuance for confirmed vulnerabilities, public credit (or anonymity, your choice), safe harbor for good-faith research, and direct contact with the engineer who fixes it. AI-specific vulnerabilities — prompt injection, data exfiltration, jailbreak, audit-trail tampering — are explicitly encouraged.

Report to security@jiegou.ai Read the substrate first →

Scope

In-scope systems

console.jiegou.ai — Operating substrate + console (auth, RBAC, audit trail, workflow execution)
mcp.jiegou.ai — MCP server (tool governance + per-agent identity + approval gates)
jiegou.ai — Marketing site (CSP, headers, contact-form abuse, redirect handling)
JieGou Chrome Extension — Browser extension (Chrome Web Store) — credential handling, content-script isolation, MCP bridge

AI-specific vulnerabilities — explicitly encouraged

AI-substrate-specific vulnerabilities are where operator-grade research has the highest impact. The categories below are explicitly in scope and receive priority triage — we want to find these classes of bugs before they reach a customer's production workflow.

  • Prompt injection that bypasses approval gates or escalates agent permissions
  • Data exfiltration via context manipulation, tool-chaining, or RAG poisoning
  • Model jailbreak that produces actions outside the declared workflow scope
  • Audit-trail tampering, hash-chain forgery, or evidence-export bypass
  • Cross-tenant data leakage in multi-customer deployments (managed cloud shape)
  • BYOK key exfiltration or downgrade attacks against customer-supplied encryption

Out of scope

  • Third-party services (AWS, Stripe, LLM providers, Vanta, etc.) — report to vendors directly
  • Social engineering attacks against JieGou employees, customers, or partners
  • Denial of service (DoS/DDoS) attacks; volumetric load testing
  • Physical security attacks against offices, devices, or staff
  • Automated scanning without prior written approval
  • Any testing that could degrade availability for paying customers

Rules of engagement

  1. 1 Do not access, modify, or delete customer data. If you accidentally access customer data, stop immediately and report it.
  2. 2 Do not perform actions that could degrade service availability (no load testing, DoS, resource exhaustion).
  3. 3 Use dedicated test accounts only. Create your own account for testing; do not test against other users' accounts.
  4. 4 Report vulnerabilities promptly and allow reasonable time for remediation before public disclosure.
  5. 5 Do not use automated scanners against production systems without prior written approval.
  6. 6 Comply with all applicable laws.

How to report

Send reports to

security@jiegou.ai

Please include

  • Description of the vulnerability
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, videos, or code)
  • Impact assessment
  • Suggested remediation (optional)
  • Your contact information for follow-up

Response timeline

1
Acknowledgment
48 hours
2
Triage and severity assessment
5 business days
3
Remediation (Critical)
7 days
4
Remediation (High)
30 days
5
Remediation (Medium/Low)
90 days

Safe Harbor

JieGou will not pursue legal action against researchers who:

  • Follow this policy and the rules of engagement
  • Report vulnerabilities in good faith
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate them
  • Do not access, modify, or exfiltrate customer data

This responsible disclosure policy does not constitute an employment or contractor relationship. JieGou reserves the right to modify this policy at any time.

security@jiegou.ai Back to Security