Platos

Security

Reporting a vulnerability

We take security seriously. If you have found a vulnerability in Platos, please report it privately so we can fix it before disclosing.

Private disclosure

Email security@winsenlabs.com, or submit the form below — both route to the same on-call inbox and page us on critical reports.

Encrypted reports welcome. PGP key on request.

Submit a report

Goes to tejas@winsenlabs.com and hello@winsenlabs.com with subject prefix SECURITY REPORT ||.

Do not include live customer data. Redact tokens and PII.

Routed to security@winsenlabs.com.

Scope

  • The Platos runtime, agent service, webapp, and SDK packages in github.com/winsenlabs/platos.
  • The play.platos.dev hosted demo environment.
  • The platos.dev marketing site.

What we ask

  • Do not exploit vulnerabilities beyond what is necessary to confirm them.
  • Do not access, modify, or destroy data that does not belong to you.
  • Give us reasonable time to fix before public disclosure (typically 90 days).

What you get

  • Acknowledgement within 48 hours.
  • Triage assessment within 5 business days.
  • Public credit in the changelog and security advisory, if you want it.

Out of scope

  • Self-hosted instances run by third parties.
  • Findings that require physical access to user devices.
  • Social-engineering attacks against Winsen Labs employees.

Talk to Platos

Powered by the Platos runtime

Powered by Platos →