Vulnerability Disclosure

Point11 welcomes responsible security research on our production surfaces. If you find a vulnerability, we want to hear about it. See also our security practices.

In scope

• www.point11.ai, the marketing site
• point11.ai/app, the authenticated product surface
• point11.ai/agents, agent delivery and widget APIs
• point11.ai/industries/retail/demo and point11.ai/industries/government/demo (customer-owned domains are scoped case-by-case)
• point11.ai/api/v1, the public API (if assigned to you)

Out of scope

• Denial-of-service attacks (volumetric, resource exhaustion)
• Spam, social engineering, physical intrusion
• Missing security headers on static/marketing surfaces without a working exploit
• Outdated browsers, vulnerabilities in third-party SaaS we don’t control
• Reports from automated scanners without human-verified impact

Safe harbor

We will not pursue legal action against researchers who act in good faith, follow this policy, do not access data beyond what is necessary to demonstrate the issue, and give us a reasonable window to remediate before public disclosure.

How to report

Email security@point11.ai with a clear title, reproduction steps, and impact. We acknowledge reports promptly and prioritize remediation by severity. Researchers who report valid findings and consent to public credit are acknowledged on this page.