> ## Documentation Index
> Fetch the complete documentation index at: https://docs.joinruna.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability Disclosure Policy

> How to responsibly report a security vulnerability in Runa.

*Last updated: May 22, 2026*

We take our systems' security seriously, and we value input from the security community. If you've discovered a vulnerability, we appreciate your help in disclosing it to us.

## Guidelines

We require that all researchers:

* Make every effort to avoid privacy violations, degradation of our users' experience, disruption to production systems, and destruction of data during security testing.
* Perform research only within the scope set out below.
* Use the identified communication channels to disclose vulnerability information to us.
* Keep information about any vulnerabilities you've discovered confidential between yourself and us until we've had 90 days to resolve the issue.

## Safe Harbor

If you follow these guidelines when reporting an issue to us, we commit to:

* Not pursue or support any legal action related to your research.
* Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).

## Within scope

The following services are within the scope of this disclosure program:

* joinruna.com

## Outside of scope

Any services hosted by third-party providers are excluded from the scope. These providers include, but are not limited to:

* **Google Cloud Platform** — hosting and infrastructure
* **Google** — Calendar and OAuth sign-in
* **Microsoft** — OAuth sign-in
* **WorkOS** — authentication
* **AssemblyAI** — speech-to-text transcription
* **Deepgram** — speech-to-text transcription (fallback)
* **OpenAI** — LLM provider
* **Anthropic** — LLM provider
* **Cloudflare** — R2 object storage and Workers AI embeddings
* **Stripe** — payments
* **PostHog** — product analytics
* **Sentry** — error monitoring

Vulnerabilities in any of these third-party providers should be reported directly to that provider through their own disclosure program.

## How to report a security vulnerability

If you believe you've found a security vulnerability in one of our products or platforms that is within the bounds of this program, please contact us at [admin@joinruna.com](mailto:admin@joinruna.com) with a detailed description of the vulnerability and steps to reproduce it.
