Archestra is a security-focused platform — protecting AI agents from prompt injection and data exfiltration is our core mission. Holding our own codebase to the same standard matters just as much. This page describes how to report security vulnerabilities responsibly and what to expect in return.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/archestra-ai/archestra/llms.txt
Use this file to discover all available pages before exploring further.
Responsible Disclosure
If you discover a security vulnerability in Archestra, please report it directly to the security team rather than opening a public issue. Public disclosure before a fix is available can put users at risk.Contact the Security Team
Email all security-related reports to: security@archestra.aiInclude a clear description of the vulnerability, steps to reproduce it, and your assessment of the potential impact. The team will acknowledge your report and work with you on a coordinated disclosure timeline.
Bug Bounty Program
Archestra’s bug bounty program is currently in development. In the meantime, the team actively appreciates responsible disclosure of security issues and is willing to compensate researchers based on the severity of the vulnerabilities they report.Report a Vulnerability
Email security@archestra.ai with full reproduction steps and a severity assessment. The team reviews every report and responds promptly.
Compensation
Compensation is assessed case-by-case based on the severity and impact of the disclosed vulnerability. The team will discuss terms directly with the reporter.
What Makes a Good Report
A high-quality security report helps the team reproduce and fix the issue as quickly as possible. Include the following where applicable:Recommended Report Contents
Recommended Report Contents
- Summary: A concise description of the vulnerability and its class (e.g. SSRF, XSS, authentication bypass, prompt injection in the platform itself).
- Steps to reproduce: A minimal, numbered sequence of steps that reliably triggers the issue. Include any relevant environment details (OS, browser, Docker version, etc.).
- Impact assessment: Your estimate of what an attacker could achieve by exploiting this — data accessed, actions taken, affected users.
- Proof of concept: A screenshot, screen recording, or code snippet that demonstrates the vulnerability is real and reproducible.
- Suggested fix (optional): If you have an idea for how to remediate the issue, include it. The team values researcher input on mitigations.
Scope
Vulnerabilities in the following areas are most impactful and most likely to qualify for compensation:- Authentication and authorisation bypasses in the Archestra platform
- Data exfiltration or privilege escalation via the LLM Proxy
- Bypasses of the AI tool guardrails that Archestra is designed to enforce
- Remote code execution or SSRF in any platform component
- Injection vulnerabilities (SQL, command, prompt) in the platform itself
Theoretical or highly speculative vulnerabilities without a clear reproduction path may not qualify for the bounty programme. Practical, demonstrated impact is the key criterion.
Coordinated Disclosure Timeline
After you report a vulnerability, the general process is:Acknowledgement
The security team acknowledges receipt of your report, typically within a few business days.
Assessment
The team reproduces the issue, assesses severity, and determines the fix approach. They will keep you updated on progress.
Fix and Release
A fix is developed, tested, and released. The team coordinates the public disclosure date with you.