Security Disclosure
Last updated · 13 July 2026
Security researchers make the internet safer, and we want to hear from you. Here is the deal we offer.
How to report
Email [email protected] with the subject 'SECURITY'. Include what you found, where (URLs, endpoints), reproduction steps and impact as you see it. Encrypted or plain — clarity matters more than format. You will get a human acknowledgement within 72 hours.
Our commitments
- We investigate every credible report and keep you updated on progress
- Good-faith research under this policy will not be met with legal action
- We aim to fix confirmed critical issues fast and will credit you publicly if you want credit
- We will not go quiet: you hear from us at acknowledgement, triage and fix
Ground rules
- Do not access, modify or exfiltrate other users' data — proof-of-concept on your own accounts only
- No denial-of-service, spam floods or social engineering of our team
- Give us reasonable time to fix before any public disclosure
- Automated scanning that degrades the service for users is out of bounds
Scope
autoones.com and its subdomains, our APIs and official apps. Third-party services we merely use (payment processors, email providers) have their own programmes — report their bugs to them.
Questions about this page? Open a support ticket — a human replies to every one.