How to report
Email security@tryarqo.com. That inbox is monitored on business days. Please include:
- A clear description of the issue and the impact you believe it has.
- Step-by-step instructions to reproduce — URLs, payloads, account details, browser, anything we need to see it ourselves.
- Proof-of-concept code or screenshots, if you have them. Redact any third-party user data.
- How you would like to be credited — your real name, a handle, or anonymously. We default to crediting unless you ask us not to.
We do not currently publish a PGP key for security@tryarqo.com. If your report is sensitive enough that you need encrypted transport, send a brief unencrypted message asking for a key and we will generate one and respond off this page.
Please give us a reasonable window to investigate and remediate before public disclosure. See Our SLA below for the timing we commit to.
What's in scope
In scope:
tryarqo.comand any subdomain we operate (the marketing site, the web app, the API).- The Arqo desktop application (Tauri shell) and the mobile applications (iOS, Android).
- Authentication, session handling, and authorization boundaries — including the per-script Vault when applicable.
- Server-side handling of script content, AI calls, and the JMNPR corpus pipeline.
- Data exfiltration, privilege escalation, account takeover, and any vulnerability that lets one user read or modify another user's work.
Out of scope:
- Third-party services we integrate with (Supabase, Anthropic, Liveblocks, Vercel, Sentry). Report those to the operator directly.
- Findings that require physical access to a writer's unlocked device, or that depend on already-compromised credentials we did not leak.
- Reports generated solely by automated scanners with no demonstrated impact (missing security headers without a working exploit, TLS configuration nits on services we do not control, theoretical CSP weaknesses with no path to execution).
- Social-engineering attacks against Arqo staff, our vendors, or our writers. Do not test these.
- Denial-of-service testing, traffic flooding, or any activity that degrades service for other users. Do not run load against production.
- Spam, content-moderation, or abuse-of-features reports — write to hello@tryarqo.com for those.
When in doubt, send the report. We would rather decline an out-of-scope finding politely than miss an in-scope one.
Our SLA
We commit to the following turnaround times. If we miss one, the right move is to email security@tryarqo.com again — not to assume the report has been ignored.
| Stage | Window | What it means |
|---|---|---|
| Acknowledgement | Within 3 business days | A human at Arqo confirms we received your report and have a tracking ID for it. |
| Triage | Within 7 business days | We confirm whether we can reproduce the issue, our preliminary severity, and the rough timeline for a fix. |
| Remediation | Severity-dependent | Critical issues land within 7 days. High within 30 days. Medium within 90 days. Low at our discretion. We update you when the fix ships. |
| Coordinated disclosure | After remediation, by mutual agreement | We credit you (unless you opted out) and you are free to publish your write-up. If a fix is delayed, we will tell you why and propose a new date rather than go silent. |
Safe harbor
If you make a good-faith effort to comply with this policy while researching a vulnerability in Arqo, we will:
- Treat your research as authorized — you have permission to test against your own account and against accounts you control with explicit consent.
- Not pursue or support legal action against you under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, or any equivalent law in your jurisdiction.
- Not pursue civil action against you for incidental terms-of-service violations resulting from the research.
- Work with you on coordinated disclosure timing rather than file complaints first and ask questions later.
Good faith means: stop as soon as you have demonstrated the issue, do not access more user data than necessary to confirm it, do not modify or destroy data, do not exfiltrate data off our systems, and report promptly through the channel above.
This safe harbor does not extend to attacks against other users' data, denial-of-service against production, social engineering of Arqo staff or vendors, or any activity prohibited by applicable law that is unrelated to the security research itself.
Bounty status
Arqo does not currently run a paid bug bounty program. We are pre-revenue and would rather be honest about that than publish a program we cannot fund.
What you do get for a valid report:
- Public credit on the hall of fame below, if you want it.
- A direct line to engineering until the fix ships.
- Arqo swag once we have it, mailed at our cost.
- A standing offer: when we do launch a paid program, every researcher who reported a valid issue beforehand gets grandfathered onto the invite list.
Hall of fame
No reports yet. The first researcher to send us a valid finding gets the top of the list and as much credit as they want.
Contact
Security reports: security@tryarqo.com.
Machine-readable contact information is published at /.well-known/security.txt per RFC 9116.
Non-security questions about data handling go to data@tryarqo.com — see /data-policy for the full plain-English data commitments.