Security
Security & Vulnerability Disclosure
Last updated: April 12, 2026
1. Our commitment
Security is foundational to OpenWrld. We take every report seriously and are committed to working with the security community to identify and resolve vulnerabilities responsibly. We appreciate researchers who follow responsible disclosure practices and will acknowledge your contribution if you wish.
2. Reporting a vulnerability
If you believe you have found a security vulnerability in OpenWrld, please report it to us directly via email. Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and address it.
Send your report to: hello@openwrld.ai
Please include as much detail as possible — steps to reproduce, the potential impact, and any proof-of-concept or supporting materials. The more context you provide, the faster we can triage and respond.
3. What to include in your report
- The affected URL, endpoint, or component
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any screenshots, logs, or proof-of-concept code
- Your name or handle if you wish to be credited
4. Our response process
We aim to acknowledge receipt of your report within 2 business days and provide an initial assessment within 5 business days. We will keep you informed as we work through investigation and remediation.
| Step | Timeline |
|---|---|
| Acknowledgement of report | Within 2 business days |
| Initial severity assessment | Within 5 business days |
| Patch for critical / high severity | Within 14 days |
| Coordinated public disclosure | Agreed with reporter |
5. Scope
In scope for this program:
- openwrld.ai and all subdomains
- OpenWrld web application and API endpoints
- Authentication and authorisation flows
- Data handling, storage, and access controls
Out of scope:
- Denial-of-service attacks
- Social engineering or phishing of OpenWrld staff
- Vulnerabilities in third-party services we depend on (report these to the vendor directly)
- Issues without a credible security impact
6. Safe harbour
If you conduct security research in good faith and in accordance with this policy — without accessing, modifying, or deleting data that is not your own — we will not pursue legal action against you. We consider responsible security research a valuable contribution and will work with you in good faith throughout the disclosure process.
7. Our security practices
OpenWrld takes security seriously across our infrastructure and development practices. Key security measures include:
- OAuth tokens encrypted with AES-256-GCM and stored in a secure credential vault
- TLS encryption in transit via Vercel infrastructure
- Workspace-isolated data storage — your data is never shared across accounts
- Authentication required for all product access
8. Contact
For all security-related enquiries, email us at hello@openwrld.ai. For general support, visit our support page.