Scope
In scope
If a vulnerability you've found applies to any of these surfaces, we want to hear about it:
- The application at app.outwright.ai and any of its API endpoints
- The marketing pages at outwright.ai, joinoutwright.com, getoutwright.com, and startoutwright.com
- The Outlook add-in distributed by Outwright
- Authentication, authorization, multi-tenant isolation, customer data exposure, or anything that breaks the privacy-first commitments documented on our Compliance page
- Sensitive data leakage in error responses, logs, or client-side bundles
- Server-side vulnerabilities — SQL injection, SSRF, RCE, deserialization, broken access control, etc.
Out of scope
The following are not in scope and will not be acknowledged with a fix or recognition:
- Social engineering, phishing of Outwright staff, or physical attacks against our offices
- Denial-of-service attacks, volumetric brute-force attacks against rate-limited endpoints, or anything intended to degrade availability
- Vulnerabilities in third-party services or open-source dependencies — please report those upstream to the vendor or maintainer
- Self-inflicted vulnerabilities (e.g., reports about installing malware on your own machine)
- Reports that rely on outdated browsers, end-of-life operating systems, or misconfigured endpoint security
- Best-practice recommendations without a demonstrable security impact (missing security headers without an exploit chain, weak SSL configs that don't enable an attack, etc.)
- Issues affecting customer-controlled OAuth providers (Microsoft Graph, Gmail) — please report those to Microsoft / Google directly
Safe harbor
Outwright will not pursue legal action against security researchers who:
- Make a good-faith effort to comply with this policy
- Promptly disclose findings to us at security@outwright.ai instead of publishing them
- Avoid privacy violations, destruction of data, and degradation of our service or any customer's service while testing
- Do not use information obtained during research for any purpose other than disclosing it to us
- Test only against accounts that you own or have explicit permission to test against
This safe harbor is intended to encourage security research that benefits all Outwright customers. We aim to make these terms compatible with the EFF's vulnerability disclosure FAQ and the standard responsible-disclosure norms used by Stripe, Vercel, and Cloudflare.
What we commit to
When you submit a report in good faith, we commit to:
If we can't meet a stated timeline, we'll tell you why and when we expect to be back on track.
Recognition
We'd like to acknowledge contributions from researchers who help keep our customers safe. If you submit a confirmed and remediated vulnerability and you'd like public credit, please tell us and we'll add you to the acknowledgments list below. If you'd prefer to stay anonymous, that's fine too — your call.
We are not currently running a paid bug bounty program. As we grow, we plan to add a structured bounty program (likely via HackerOne or Bugcrowd). Until then, recognition is the only formal benefit we can offer for confirmed reports.
Encrypted reports
For sensitive reports, an encrypted PGP channel is being set up; until the public key is published here, please send reports unencrypted to security@outwright.ai. Email between most enterprise providers is already TLS-encrypted in transit. If your report is unusually sensitive and you'd prefer to wait for PGP, email us and we'll coordinate.
Acknowledgments
Researchers who have responsibly disclosed verified vulnerabilities to Outwright will be listed here, with their consent.
No public acknowledgments yet — be the first.
Questions about this policy
If anything above is unclear or you'd like to discuss a specific test plan before running it, write to security@outwright.ai. For non-security questions, see our contact page.
This policy is published in machine-readable form at /.well-known/security.txt per RFC 9116. Last updated 2026-04-26.