Security · Responsible disclosure
Find a bug? Tell us.
We take security seriously. If you discover a vulnerability in any usetheo product or surface, please report it privately so we can fix it before it ships further. We commit to acknowledge within 48 hours and triage within 5 business days.
Report a vulnerability
Email security@usetheo.dev with as much detail as you can: affected product, reproduction steps, impact, and any proof of concept. For sensitive reports needing transport encryption, use S/MIME or request a Signal handle in your initial email. PGP public key fingerprint available on request at security@usetheo.dev.
security@usetheo.devPlease don't
- · Publicly disclose the issue before we've had a chance to fix it.
- · Exploit it beyond what is needed to demonstrate the vulnerability.
- · Access or modify data that is not yours.
- · Run automated scanners against production systems (please use a self-host install for that).
How we operate
- TLS everywhere (HSTS preloaded on usetheo.dev)
- Secrets at rest encrypted (AES-256)
- Signed container images (Sigstore / cosign) for TheoCloud deploys
- Audit logs retained per environment
- Least-privilege access for the team
What we recommend you do
- Rotate API keys periodically
- Enable SSO when available (enterprise)
- Pin TheoCode and TheoKit versions in your project
- Review the Apache-2.0 source you depend on
- Set up email alerts for critical security advisories
Reporter recognition: valid reports are publicly acknowledged (with your permission) in our changelog and security advisories. Paid bug bounty program for Enterprise tier is part of the security roadmap shared under NDA on request.