Security & Vulnerability Disclosure

Last updated: April 7, 2026

Isorun's product is isolation. Security is not a feature for us — it is the product. We take vulnerability reports seriously and we want to make it easy and safe for researchers to tell us when something is wrong.

Reporting a Vulnerability

If you believe you have found a security vulnerability in any Isorun service, please report it to us:

Email: security@isorun.ai
Machine-readable contact: /.well-known/security.txt

Please include enough detail for us to reproduce the issue: a description of the vulnerability, the steps to reproduce it, the impact you believe it has, and any proof-of-concept code or screenshots. Reports written in English are easiest for us to triage, but we accept reports in any language.

Please do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate. See our coordinated disclosure timeline below.

Scope

The following Isorun-operated assets are in scope for this policy:

isorun.ai and all subdomains operated by Isorun BV
app.isorun.ai (dashboard)
api.isorun.ai (control plane API)
docs.isorun.ai (documentation site)
Isorun SDKs distributed under our open-source licenses (Python, TypeScript, Go)
The Isorun guest agent and any binaries we ship into customer sandboxes
Isorun runner infrastructure (origin servers)

Out of Scope

The following are explicitly out of scope:

Findings from automated scanners without a working proof-of-concept demonstrating real impact
Denial-of-service attacks, volumetric tests, or any testing that degrades service availability for other users
Social engineering of Isorun employees, contractors, customers, or vendors
Physical attacks against Isorun offices, datacenters, or personnel
Reports about missing security headers, SSL/TLS configuration nits, or cookie flags without a demonstrated security impact
Vulnerabilities in third-party services we use (Auth0, Stripe, Cloudflare, Plausible) — please report those to the respective vendors
Anything that requires access to another customer's account, data, or sandbox to demonstrate
Code execution inside a sandbox by its owner — sandboxes are designed for arbitrary code execution; this is the product, not a vulnerability

If you are unsure whether something is in scope, please ask before testing.

Safe Harbor

Isorun will not initiate legal action against, or support legal action by third parties against, security researchers who:

make a good-faith effort to comply with this policy and our Acceptable Use Policy;
report findings to security@isorun.ai before any public disclosure and allow us at least 90 days to remediate (or such longer period as is reasonable for the severity of the issue);
do not access, modify, exfiltrate, or delete data belonging to other users beyond the minimum necessary to demonstrate the vulnerability;
do not degrade availability of the Services for other users — no DoS, no resource exhaustion, no destructive testing;
limit testing to accounts and sandboxes you control, or to test environments we explicitly provide for the purpose;
do not violate applicable law in the course of their research; and
act in good faith and without intent to harm Isorun, its customers, or any third party.

If you comply with these conditions, your activity is authorised by Isorun. We will not pursue civil or criminal claims against you for the research itself, and we will work in good faith to defend you if a third party attempts to do so on the basis of your authorised research. This safe harbor does not extend to research that violates the conditions above, and it does not waive the rights of any third party.

If at any point during your research you have a question about whether a particular action is within scope or covered by safe harbor, email us at security@isorun.ai and we will respond promptly.

Our Commitment to You

When you submit a vulnerability report, we commit to:

Acknowledge your report within 2 business days.
Triage the report and provide an initial assessment within 7 business days.
Keep you informed of progress as we investigate and remediate, with at least one update every 14 days for active reports.
Credit you publicly when the issue is fixed, if you wish, in our security advisories and on this page.
Coordinate public disclosure with you on a timeline that gives users time to patch but does not delay disclosure unreasonably.
Be honest about timelines, severity assessments, and root causes. If we get something wrong, we will say so.

Coordinated Disclosure

We follow coordinated vulnerability disclosure. The default timeline is 90 days from initial report to public disclosure, extendable by mutual agreement for issues that require complex remediation. We will publish an advisory at isorun.ai/security/advisories after remediation, and we will request a CVE for any vulnerability that warrants one.

If active exploitation is observed in the wild, or if a vulnerability is independently disclosed by a third party, we may shorten the disclosure timeline to protect users.

Bug Bounty

Isorun does not currently operate a paid bug bounty program. We acknowledge researchers in our Hall of Fame below and provide swag for impactful reports. We will introduce a paid program once we have the volume to do so responsibly.

Hall of Fame

Researchers who have responsibly disclosed vulnerabilities to Isorun. Send us a name and a link, and we will add you here after the issue is remediated.

No reports yet — be the first.

Questions

For questions about this policy or about Isorun's security program generally, email security@isorun.ai. For commercial security inquiries (pen-test reports, SOC 2 status, vendor questionnaires), email hello@isorun.ai.