Bolt (bolt-api, bolt-pwa, bolt-native)
the agent runtime, web UI, and desktop client
Vulnerability Disclosure
If you have found a security issue, here is the fastest path to a fix.
We welcome security research and coordinated disclosure. This page tells you what is in scope, how to report, what to expect from us, and the safe-harbor commitments we make to good-faith researchers.
How to report
One email. We monitor it.
Email [email protected] with as much of the following as you have:
- A clear description of the issue and the affected component (Bolt, Aeira, sparcle.app, container image tag, Helm chart version).
- Steps to reproduce, ideally with a minimal proof-of-concept.
- The impact you believe the issue has (confidentiality, integrity, availability) and any mitigations or workarounds you have already identified.
- Whether you would like credit if a fix is released, and the name you would like credited.
If your finding is sensitive enough that you prefer encrypted communication, request our PGP key in your initial message and we will reply with it. We do not require encryption for first contact, as it tends to slow reports down.
Our public security contact is also published per RFC 9116 at
/.well-known/security.txt.
In scope
What we want reports on.
Aeira (aeira-rs and shipped crates)
the data plane and its trait surface
bolt-license
license issuance and verification components
sparcle.app
the marketing and trust-center website you are reading right now
Container images
images published under ghcr.io/sparcle-llc, signed via cosign keyless
Helm charts
the deployment artifacts customers use to install Bolt and Aeira
Out of scope
What we cannot accept here.
Reports that fall into the categories below will be closed without a detailed reply. This is not a judgement on the underlying issue; it is a routing problem.
Third-party LLM providers
issues in OpenAI, Anthropic, Bedrock, Vertex, Ollama belong to those vendors
Customer-deployed instances
we cannot accept reports about a specific customer's Bolt or Aeira installation; please contact the customer directly
Denial-of-service via volumetric traffic
DoS / DDoS reports without a novel amplification or resource-exhaustion mechanism are out of scope
Social engineering of Sparcle staff
out of scope; please do not attempt
Physical attacks on Sparcle property
out of scope; please do not attempt
Vulnerabilities requiring already-compromised accounts or devices
out of scope unless the underlying compromise reveals a new issue
What you can expect from us
Our commitments to reporters.
Commitment
Detail
Acknowledgement
We will acknowledge your report within 1 business day.
Triage
We will assess severity and confirm reproducibility within 5 business days.
Fix timeline
Critical issues in 7 days, High in 30 days, Medium in 90 days, Low in the next quarterly release. These match our internal patch SLA.
Coordinated disclosure
We aim for coordinated disclosure within 90 days of acknowledgement, extendable by mutual agreement if a fix requires additional time.
Credit
We will credit reporters who request acknowledgement, in release notes and on this page, after the fix ships and customers have a reasonable upgrade window.
Safe harbor
Good-faith research is welcome.
Sparcle will not pursue legal action against, or request law-enforcement action against, security researchers who report vulnerabilities under this policy in good faith. Good faith means you:
- Make a good-faith effort to avoid privacy violations, data destruction, and degradation of our services or our customers' services.
- Use only Sparcle-controlled test accounts and self-hosted test deployments. Do not access customer data, customer environments, or any data that is not yours.
- Stop testing and report immediately if you encounter customer data, secrets, or anything that appears to be personal data.
- Do not exploit a finding beyond what is necessary to demonstrate it.
- Do not publicly disclose the issue before we have had a reasonable opportunity to remediate it (coordinated disclosure above).
This safe-harbor commitment applies to research conducted against Sparcle-owned systems and Sparcle-controlled test deployments only. We cannot extend safe harbor for research against customer-deployed instances; please contact the customer directly in those cases.
Honest framing
What this policy is not, yet.
We do not currently run a paid bug-bounty program. Acknowledgement and credit are the rewards we can offer today; we plan to evaluate a paid program after we publish our first third-party penetration-test results. We would rather under-promise here than make a commitment we cannot keep on cadence.
Sparcle's security program is run by the founding team. Reports sent overnight or on weekends are triaged the next business day; the acknowledgement target above is the binding commitment. Deeper coverage tiers (staffed on-call rotation, 24/7 SOC) activate at the customer-contract thresholds that warrant them. Any tighter cadence in an executed MSA, BAA, or DPA takes precedence over this page.