The security of our systems and user data is MacroDeep's top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.

Purpose

MacroDeep's mission is to build safe and powerful artificial general agents that benefit humanity. Central to this mission is our commitment to the security and integrity of our systems, services, and the data entrusted to us by our users and partners. We've established this responsible disclosure program to collaborate with security researchers who help identify potential vulnerabilities in our systems.

As part of our mission to advance safe and responsible AI development, we actively encourage researchers to work with other AI organizations. If you discover a vulnerability that affects multiple AI services, please submit separate reports to each affected organization.

Scope of Systems

This Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by MacroDeep, including any web or mobile applications hosted on those websites, including the macrodeep.com domain and related subdomains (collectively, "Information Systems").

This Policy does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to MacroDeep, even where under a MacroDeep domain. You should comply with the responsible disclosure efforts for those other systems.

Scope of Vulnerabilities

This Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross-site request forgeries, privilege escalation attacks, SQL injection, XSS, and directory traversal attacks.

This Policy excludes the following vulnerabilities, subject to MacroDeep's discretion:

— General security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept
— Physical compromise or intrusions
— Rate limiting or brute-force issues on non-authenticated endpoints
— Compromises involving an insider
— Social engineering (including phishing attempts)
— Reflected file downloads
— Account takeovers (including any brute force attacks on accounts that are not yours)
— Red-teaming or adversarial testing of our models
— Content issues with model prompts and responses
— Denial of service attacks
— Clickjacking on pages with no sensitive actions
— Missing HttpOnly or Secure flags on cookies
— Dependency hijacking
— Any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days

We welcome reports concerning safety issues, "jailbreaks," and similar concerns related to our AI models so that we can enhance the safety of our systems. Please report such issues to security@macrodeep.com with enough detail to replicate the issue.

How to Submit a Report

If you discover a security vulnerability in a MacroDeep system, please promptly report it to security@macrodeep.com. Include a detailed summary and any supporting details to help us understand, validate, reproduce, and respond to it quickly.

At a minimum, please provide:

— The type and severity of the vulnerability
— Technical details associated with the vulnerability
— A clear summary of the vulnerability
— The steps to reproduce the vulnerability
— URL or location of the vulnerability
— Proof-of-concept scripts, screenshots, or screen recordings
— If applicable, the potential impacts to the Information System
— Any recommended remediation actions

We ask that all reports be well-written, include only one vulnerability per report, and include any plans or intentions for public disclosure. The more detailed and clear the report, the more likely we will be able to investigate and respond effectively.

Research Guidelines

While we reserve final discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by the following:

— You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability and reporting such information to us
— You will avoid causing any harm to the Information Systems, including data destruction, disruption of services, or violation of user privacy
— You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that it exists
— You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent
— You will not exfiltrate, download, or otherwise retain any data you collect. If you inadvertently access any data, you will report such access to us as part of your report
— You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. We fully support researchers' right to publicly disclose vulnerabilities they discover — we ask only to coordinate on timing to prevent potential harm to our services and users
— You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own
— You must not perform any social engineering attacks (phishing, vishing, etc.) on any MacroDeep employee, contractor, or representative
— You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner
— You must not be listed on any applicable sanctions list, or reside in any country that has been sanctioned by the United States Government
— You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities

If you have any questions about this Policy or whether your research is consistent with these guidelines, please contact security@macrodeep.com before proceeding.

Your Expectations of Us

All good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to:

— Promptly evaluate your findings and, if we determine a vulnerability exists, validate and confirm it with you
— Take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible
— Protect your name and contact information and not disclose such information without your consent, unless required by law
— Refrain from taking legal action as set forth in the Safe Harbor section below
— With your permission, attribute your name and contribution on any public disclosure we make
— Acknowledge your submission within three (3) business days
— Make best efforts to keep you updated and confirm our remediation strategy within an established timeline

Safe Harbor

If you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to MacroDeep's compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.

Changes to this Policy

We reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.