Found something? Tell us first.
Researchers acting in good faith are welcome here. The terms below describe what is in scope, how to reach the security team, and what you should expect after the report lands.
Scope.
In scope
- ·relay.green and all subdomains
- ·The Relay desktop and IDE extensions
- ·The press-for-an-engineer browser overlay
- ·Public APIs documented at api.relay.green
Out of scope
- ·Social engineering of Relay engineers, customers, or vendors
- ·Physical attacks on Relay facilities
- ·Denial-of-service tests against production
- ·Findings already disclosed in our changelog or known-issues page
- ·Best-practice recommendations without a working proof of concept
Safe harbor.
Relay will not initiate or support legal action against researchers who act in good faith, stay within the in-scope assets, do not access more data than required to demonstrate a finding, and report promptly. We will work with you on coordinated disclosure timing , our default is to publish a fix and an acknowledgment together.
Response SLA.
Initial acknowledgment within five business days. A triage decision and a severity rating within ten. Status updates every two weeks until resolution. We will not silently close a report.
Recognition.
Researchers whose reports lead to a confirmed fix are listed on a public hall-of-fame page, with permission. Where reports prevent material customer harm, we may offer swag or a discretionary thank-you payment.
No bug bounty at launch; under review. We would rather run a small, slow, careful program than a loud one. The terms above are what we can commit to today.