Responsible Disclosure

Guidelines for security researchers and ethical hackers.

At Metanthropic, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.

1. Our Philosophy

We believe in "Safe Harbor" for researchers. If you conduct your research in good faith and in accordance with this policy, we will consider your actions authorized, we will not bring legal action against you, and we will work with you to understand and resolve the issue quickly.

2. How to Report

Please email your findings to security@metanthropic.com.

• Subject Line: Please use "Vulnerability Report: [Type of Issue]".
• Content: Include a Proof of Concept (PoC) or clear steps to reproduce the vulnerability.
• Encryption: For sensitive reports, please use our PGP key (Fingerprint: META SEC 2025 KEY).

3. What is In Scope

We are interested in vulnerabilities that could compromise the confidentiality, integrity, or availability of our services, including:

• Authentication or Authorization flaws (e.g., bypassing API limits).
• Server-side code execution (RCE).
• Significant model extraction attacks (extracting weights/training data).
• Prompt Injection that leads to privilege escalation (not just jailbreaks).

4. What is Out of Scope

The following activities are strictly prohibited:

• Physical attacks against our offices or data centers.
• Social engineering (phishing) of our employees.
• Denial of Service (DoS/DDoS) attacks.
• "Jailbreaking" the model to say rude things (unless it reveals a systemic safety failure).

5. Response Timeline

We are committed to acknowledging receipt of your report within 48 hours and providing an estimated timeframe for resolution within 5 business days. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.