— Security
Responsible disclosure
& safe harbor.
We take security reports seriously. If you’ve found something, please tell us — we’ll acknowledge within 48 hours and keep you in the loop through the fix.
How to report
- Email: security@rexa.ai
- PGP: /security-pgp-key.asc
- Machine-readable policy: /.well-known/security.txt
Please don’t include sensitive details in the initial email if the report is Critical — we’ll reply with a PGP-encrypted follow-up within the hour.
Scope
In scope: everything under rexa.ai, api.rexa.ai, rooms.rexa.ai, admin.rexa.ai, and any SDK or sample-app repository we publish under the github.com/rexa-ai organization.
Out of scope: DDoS, rate-limit bypass attempts, third-party services we integrate with (Stripe, Telnyx, Twilio, Plivo, Daily.co, Resend), and findings that require authenticated access to another customer’s account without a disclosed cross-tenant vector.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we’ll consider your research to be authorized. We’ll work with you to understand and resolve the issue quickly. We won’t pursue legal action against you, and we’ll advocate for you if any third-party takes issue with your research.
Good-faith means: don’t access other customers’ data beyond the minimum needed to demonstrate the issue; don’t publicly disclose before a fix ships or 30 days have passed (whichever comes first); don’t degrade our service for other users.
Our SLAs
- AcknowledgementWithin 48 hours
- Critical fix30 days
- High fix30 days
- Medium fix60 days
- Low fix120 days
Credit & hall of fame
With your consent we’ll list you here after a fix ships. Pseudonyms are fine.
No disclosures credited yet.