Last updated July 10, 2026
Security
Axtary treats payload binding, fail-closed enforcement, attributable execution, and independent verification as product contracts. Responsible reports are welcome.
Report a vulnerability
Email security@axtary.com with the affected surface, impact, reproduction steps, and any safe supporting evidence. Do not include live credentials, private keys, provider tokens, or another person's data. We will acknowledge a reproducible report as capacity allows; there is currently no paid bug-bounty program.
Safe research boundaries
Use accounts and tenants you control. Avoid privacy violations, persistence, denial of service, social engineering, destructive actions, automated high-volume scanning, and accessing or changing data that is not yours. Stop and report if you encounter sensitive information or a path beyond the minimum proof needed.
Current posture
Local provider credentials remain at the runtime boundary; ActionPasses are short-lived and payload-bound; approvals bind to the exact payload hash; protected paths fail closed; and ledger exports can be verified independently. Axtary is early-stage and has not yet completed SOC 2 or a formal third-party penetration test. Those controls are not claimed.
Machine-readable contact
The canonical disclosure file is available at /.well-known/security.txt.