Bug Bounty Program
Responsible disclosure guidelines and security reward programs for O3 AI. Last updated: March 13, 2026.
1. Responsible Disclosure Policy
We welcome reports from security researchers to help keep O3 AI secure. If you believe you have discovered a vulnerability, security flaw, or access exploit in our application, API endpoints, or database structures, please report it to us immediately.
2. Reporting Guidelines
Please submit your detailed proof of concept directly to security@o3runs.tech. Include step-by-step instructions to reproduce the issue, target URLs, and any payload samples. Do not perform destructive actions, exfiltrate user data, or disrupt active services.
3. Scope of Testing
Vulnerability testing is permitted on all o3runs.tech domains and web interfaces. Out of scope targets include physical office security, social engineering attacks, third-party subprocessors (like OpenAI or Stripe), and spam/DDOS activities.
4. Rewards & Recognition
We evaluate bounty rewards based on the severity classification of the vulnerability (CVSS rating). Qualifying disclosures receive monetary bounties or recognition on our public security contributors board, at our sole discretion.