Responsible Disclosure and Vulnerability Reporting

1. Commitment

Intended welcomes security research. We commit to working constructively with researchers who report vulnerabilities responsibly, acknowledging contributions, and resolving issues promptly. This policy establishes the rules of engagement and safe-harbor terms for good-faith security research on Intended systems and software.

2. In-scope systems

• intended.so (public marketing site) and its subpaths
• console.intended.so — customer operator console
• api.intended.so — Authority Engine API endpoints when published at this origin
• backoffice.intended.so — non-invasive read-only reconnaissance only (active probing is out of scope)
• Published open-source repositories at github.com/intended-so/* — Open Intent Layer (OIL), Verification SDK, Connector SDK, CLI, MCP Gateway, OpenShell Adapter
• Published SDK packages: @intended/node, intended (PyPI), @intended/cli, and other packages published from the intended-so organization

3. Out-of-scope systems and activities

• Third-party services Intended does not operate (AWS, Stripe, Resend, Twilio, OpenAI, Anthropic, and similar). Report those directly to the respective provider
• Social engineering of Intended personnel, customers, or vendors
• Physical attacks on Intended offices or personnel
• Denial-of-service, distributed denial-of-service, or volumetric testing against Intended systems
• Spam, phishing, or unsolicited-message testing
• Automated-scanner findings that require no manual analysis or do not demonstrate concrete exploitability
• Best-practice recommendations not tied to a concrete vulnerability (e.g., header hardening suggestions without a demonstrated attack). These are appreciated as product feedback but do not qualify as vulnerability reports under this policy
• Vulnerabilities in end-of-life versions of SDKs or components explicitly marked as Preview, Beta, Alpha, or Roadmap
• Findings that require physical access to a user's device or a user's own compromised credentials

4. Safe harbor

If you make a good-faith effort to comply with this policy, Intended will not pursue or support any legal action against you related to your research, including under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Digital Millennium Copyright Act (17 U.S.C. § 1201), comparable state computer-crime laws (including California Penal Code § 502), the Defend Trade Secrets Act, or Intended's Terms of Service. We will work with you to understand and resolve the issue promptly and will recognize your contribution publicly if you wish.

• Safe harbor applies only to research conducted in accordance with this policy
• Safe harbor does not authorize accessing data beyond what is necessary to demonstrate the vulnerability, persisting after initial proof-of-concept, exfiltrating data, creating backdoors, or degrading the service for Intended or its customers
• Safe harbor does not grant you protection from third-party claims. Research only on systems and accounts you control or are authorized to test. Testing against other customers' tenancies, accounts, or data is strictly prohibited and falls outside this safe harbor
• If you are uncertain whether a specific activity is permitted, contact disclosure@intended.so before testing. We will respond within two (2) business days

5. How to report a vulnerability

• Primary channel: email disclosure@intended.so
• Encrypted submissions: Intended's PGP key is published at intended.so/.well-known/pgp-key.txt. If a PGP key is not yet published at the time of your report, contact disclosure@intended.so requesting an alternate encrypted channel (age or Signal)
• Structured metadata: a security.txt file per RFC 9116 is published at intended.so/.well-known/security.txt
• What to include: vulnerability description, affected system or endpoint, reproduction steps, minimal proof-of-concept, assessed impact, suggested mitigation, and any relevant timeline constraints
• Language: English preferred. Reports in other major languages will be accepted and translated

6. Our commitments and service levels

• Acknowledgment: within two (2) business days of initial report
• Initial triage and severity assignment: within five (5) business days using CVSS 3.1
• Remediation targets: Critical within fourteen (14) days; High within thirty (30) days; Medium within sixty (60) days; Low within ninety (90) days. Complex issues may require additional time, and we will communicate expected timelines
• Closure notification: when a fix is released or risk is formally accepted, we notify the reporter
• Public-disclosure coordination: we generally support public disclosure ninety (90) days after initial report or upon release of a remediating fix, whichever is earlier, with mutual coordination. CVE and GitHub Security Advisory identifiers are requested where appropriate
• Regular status updates every two (2) weeks while the report is open

7. Recognition and rewards

Intended maintains an acknowledgments page for researchers who meet the guidelines of this policy and wish to be recognized. Participation in acknowledgments is at the researcher's discretion. Monetary rewards are not part of a formal public bug-bounty program at this time. Intended may, at its discretion, offer monetary recognition for exceptional reports. A private, invite-only bug-bounty program is on the roadmap and is targeted for late 2026, subject to business and operational readiness.

8. Prohibited conduct

• Publicly disclosing a vulnerability before Intended has had a reasonable opportunity to remediate (default ninety-day embargo from report date, subject to mutual extension)
• Extortion, ransom demands, or "pay us or we publish" communications. Such conduct voids safe harbor and will be referred to law enforcement
• Testing against Customer production data, credentials, or tenancies without explicit, written authorization from that Customer
• Chaining multiple low-impact findings to construct and execute a destructive attack rather than reporting each finding responsibly
• Retaining, sharing, or disclosing any Customer personal data encountered during testing. If Customer personal data is inadvertently accessed, stop immediately, do not retain it, and report the incident in your submission

9. Coordinated disclosure model

• Default disclosure timeline: ninety (90) days from initial report
• Extensions may be granted on mutual agreement where remediation is genuinely in progress
• Disagreements escalate to a mutually-chosen neutral third party (for example, CERT/CC at Carnegie Mellon University)
• Researchers are encouraged to request a Coordinated Vulnerability Disclosure (CVD) plan at the start of a report if a specific disclosure date is desired

10. Legal

This policy does not create a contract between Intended and any researcher and is not a warranty. Intended may update this policy; material changes are dated in the change log below. This policy is governed by the laws of the State of Delaware, without regard to conflict-of-law principles. Nothing in this policy limits Intended's ability to comply with legal obligations or to protect its systems, customers, or personnel.

11. Contact

• Primary: disclosure@intended.so
• General security: security@intended.so
• Postal: Intended, Inc., Attn: Security, 2261 Market Street, San Francisco, CA 94114, US
• Encrypted submissions: PGP key at intended.so/.well-known/pgp-key.txt (published separately)

12. Change log

• 2026-04-17 — Initial publication of the Responsible Disclosure and Vulnerability Reporting policy