Responsible Disclosure
If you have discovered a security vulnerability in Hone Studio, we want to hear from you. We appreciate your help in keeping our platform and our clients' data safe.
Reporting a Vulnerability
Report to: security@honelabs.dev
Please include:
- •A description of the vulnerability and its potential impact
- •Steps to reproduce (as detailed as possible)
- •The affected URL, endpoint, or component (if known)
- •Any proof-of-concept (non-destructive only)
- •Your preferred contact method for follow-up
You may encrypt your report using our PGP key (available on request).
Our Response
Acknowledge your report
2 daysWithin 2 business days
Initial assessment and severity classification
5 daysWithin 5 business days
Status update
10 daysWithin 10 business days
Remediation
Critical: 24 hours. High: 7 days. Medium: 30 days. Low: 90 days
Notify you when fixed
Within 2 business days of remediation
We will keep you informed throughout the process. If we need additional information, we will reach out using your preferred contact method.
Scope
In Scope
- •The Hone Studio web application and all client-specific domains
- •The Hone Studio API
- •The honelabs.dev marketing website
- •Authentication and authorization mechanisms
- •Data isolation between tenants
- •AI prompt handling and output controls
- •API key management
Out of Scope
| Category | Examples |
|---|---|
| Third-party services | Vulnerabilities in Supabase, Vercel, Railway, Anthropic (report to them directly) |
| Social engineering | Phishing, vishing, or physical social engineering |
| Denial of service | Volumetric attacks, resource exhaustion, service degradation |
| Spam or content abuse | Unsolicited messages or content feature abuse |
| Previously reported issues | Vulnerabilities already under remediation |
| Issues requiring physical access | Attacks requiring physical infrastructure access |
Testing Rules
When testing, you must:
- •Not access, modify, or delete any client data
- •Not degrade service availability or performance for any user
- •Not test against production environments without prior written authorization from Hone Labs
- •Not use automated scanning tools against production without prior written authorization
- •Not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it
- •Stop testing and report immediately if you accidentally access another user's or client's data
Safe Harbor
Hone Labs will not pursue legal action against security researchers who act in good faith and within the scope defined above, report findings promptly and confidentially, do not access, modify, or delete client data, do not disrupt platform availability, do not publicly disclose vulnerabilities before remediation, and comply with all applicable laws.
We consider security research conducted in accordance with this policy to be authorized and will not pursue civil or criminal action related to your research. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make reasonable efforts to make it known that your actions were authorized.
Recognition
We value the security research community. With your permission, we will acknowledge your contribution on this page (if you wish to be named) and provide a written letter of acknowledgment on request.
We do not currently operate a paid bug bounty program. This will be evaluated as the platform scales.
Disclosure Timeline
After a vulnerability is remediated:
- •We may publish a brief advisory describing the issue (without identifying the reporter unless they consent)
- •We will coordinate public disclosure timing with you
- •We ask that you allow at least 90 days from your initial report before any public disclosure, to ensure all clients are patched and protected
Contact
- •Security reports: security@honelabs.dev
- •General security questions: security@honelabs.dev
- •PGP key: Available on request
- •Preferred language: English
security.txt
The following content is placed at /.well-known/security.txt on all Hone Labs domains:
# Hone Labs LLC Security Contact # https://honelabs.dev/security/disclosure Contact: mailto:security@honelabs.dev Preferred-Languages: en Canonical: https://honelabs.dev/.well-known/security.txt Policy: https://honelabs.dev/security/disclosure Expires: 2027-03-05T00:00:00.000Z