Security policy

The security of our community's data is our priority. This page describes how to report a vulnerability and how we respond.

Updated on May 17, 2026

1. Report a vulnerability

If you discover a security vulnerability, please email security@aukilo.com (or contact@aukilo.com with "[SECURITY]" in the subject).

We acknowledge receipt within 72 business hours and keep you informed of the progress.

To speed up triage, please include if possible:

  • a clear description of the vulnerability and its impact;
  • steps to reproduce it;
  • the app version or URL concerned;
  • your handle if you wish to be credited.

2. Scope

This policy covers:

  • the web site and subdomains of aukilo.com;
  • the Aukilo mobile app (iOS and Android);
  • the Supabase Edge Functions deployed under the official project.

3. Out of scope

The following items are not covered and not eligible for responsible disclosure:

  • denial-of-service attacks (DOS / DDoS);
  • phishing and social engineering against the team or users;
  • mass scraping or attempts to bypass quotas;
  • vulnerabilities already known or being fixed;
  • third-party services (Vercel, Supabase, Firebase, Google) — please report them directly to the vendor;
  • stale email addresses or parked domains.

4. Our commitment

If you follow the rules of this policy:

  • we will not pursue legal action against you;
  • we will work with you to confirm and fix the issue;
  • we will credit you publicly (with your consent) once the fix is deployed;
  • we will publish an anonymous post-mortem when relevant.

Aukilo does not (yet) operate a paid bug bounty program. Recognition is symbolic.

5. Rules to follow

To benefit from our commitment, please:

  • do not access or modify user data without their consent;
  • do not degrade the service or disrupt its operation;
  • do not disclose the vulnerability publicly before we have fixed it;
  • do not exploit the vulnerability beyond a minimal proof of concept.

6. User data

Aukilo processes personal data in accordance with the GDPR and our privacy policy. If a vulnerability exposes personal data, we will apply the notification obligations required by law (CNIL, affected users).

7. Contact

For any question on this policy: security@aukilo.com.

PGP key available on request for sensitive reports.