Bug Bounty Policy

Sycamore Labs is committed to the security of our products and services. We welcome responsible disclosure of security vulnerabilities from the research community.

Scope

This policy covers all Sycamore Labs production services, APIs, and public-facing web applications. Out of scope are third-party services, social engineering attacks, and denial-of-service testing.

Guidelines

• Provide a detailed description of the vulnerability, including steps to reproduce.
• Do not access, modify, or delete data belonging to other users.
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
• Act in good faith to avoid privacy violations, service disruption, and destruction of data.

Reporting

Please report vulnerabilities to security@sycamore.ag. Include your name (or handle), a description of the issue, and any supporting evidence such as screenshots or proof-of-concept code.

Recognition

We will acknowledge valid reports and work to resolve confirmed vulnerabilities promptly. Researchers who report qualifying vulnerabilities may be eligible for recognition or monetary reward at our discretion. We will not pursue legal action against researchers who follow this policy in good faith.