Bug Bounty Program

Help us protect our users. We reward security researchers who responsibly disclose vulnerabilities.

Scope

In Scope

•*.archways.ai
•app.archways.ai
•www.archways.ai
•vendor.archways.ai

Out of Scope

•Social engineering attacks
•Denial of Service (DoS/DDoS)
•Physical attacks against our infrastructure
•Third-party services we don't control

Eligible Vulnerabilities

We're particularly interested in the following types of vulnerabilities:

Authentication Issues

Bypasses, session management flaws

Authorization Flaws

Privilege escalation, IDOR

Data Exposure

Information disclosure, sensitive data leaks

Injection Attacks

SQL injection, XSS, command injection

CSRF Vulnerabilities

Cross-site request forgery

Server-Side Issues

SSRF, XXE, remote code execution

Severity Levels

Low

Minor security issues with limited impact

Medium

Moderate security vulnerabilities

High

Significant security issues

Note: Reward amounts are determined based on severity, impact, and quality of the report. Final amounts are at Archways' discretion.

Program Rules

Only test against your own accounts or with explicit permission
Do not exploit vulnerabilities beyond what's necessary to demonstrate the issue
Do not access, modify, or delete data belonging to other users
Report vulnerabilities within 24 hours of discovery
Keep vulnerability details confidential until we've resolved the issue
Submit one vulnerability per report for faster processing
Provide detailed reproduction steps and proof of concept
First valid report of a vulnerability wins the bounty

How to Report

Send your vulnerability report to our security team with the following information:

Vulnerability Description

Clear explanation of the security issue

Impact Assessment

What an attacker could do with this vulnerability

Reproduction Steps

Step-by-step instructions to reproduce the issue

Proof of Concept

Screenshots, videos, or code demonstrating the vulnerability

Response Time: We aim to acknowledge reports within 48 hours and provide initial assessment within 5 business days.

Ready to Report a Vulnerability?

Email our security team with your findings. We appreciate your help in keeping Archways secure.

Report Vulnerability Back to Security

Last updated: October 2025