Xanadu
security · xanadu.run

Responsible disclosure.

Email security@xanadu.run with a vulnerability report. A human reads it within 24 hours, acknowledges within 72, and ships a fix on a posted timeline. Encrypted submissions preferred. PGP key at /.well-known/security.txt.

How to reach us

Email: security@xanadu.run. Encrypted submissions strongly preferred. The PGP key fingerprint and full public key live at /.well-known/security.txt. A SECURITY.md will publish alongside the source under MIT in 2026.

For time-sensitive issues with the live dispatcher endpoint ( xanadu.run/mcp), email and add URGENT to the subject. We page on those.

In scope

  • Dispatcher: xanadu.run/mcp (FastMCP server, HTTP transport), xanadu.run/admin/* (tenant administration), and the open-source xanadu CLI and Python package on GitHub.
  • Site: xanadu.run and all subpaths served from this Vercel deployment, including this status board.
  • Cloud (when live): the confidential inference cluster, its attestation chain, the client SDKs, and the published threat model.

Out of scope

  • Social engineering of operators or design partners.
  • Physical attacks on hardware (we have a separate process for credible state-level threats; see threat model T3).
  • DoS, rate-limit, and traffic-shaping reports unless they demonstrate a way to bypass per-tenant billing caps.
  • Findings that depend on a non-reproducible build of the dispatcher (we publish image hashes; reports must reference one).

Service-level commitments

  • Acknowledgment: within 24 hours of receipt for non-URGENT reports, 1 hour for URGENT.
  • Triage: within 72 hours, with a posted severity and a planned-fix-by date.
  • Patch: Critical within 7 days, High within 30, Medium within 90. We will publish slippage as it happens.
  • Public disclosure: coordinated with the reporter. Default is 90 days post-fix, but we will release earlier on request and write up post-mortems for every incident with a customer-visible blast radius.

Recognition and rewards

We do not currently run a structured bug bounty. We do pay individual rewards for material findings, on a case-by-case basis, scaled to the severity and the work required to produce the report. Researchers may publicly attribute their findings on the security page’s hall of fame once the patch ships.

Audits and roadmap

The open-source dispatcher (Python, MIT) has not yet been third-party audited. We are scoping an audit with a recognized firm for Q4 2026, before the confidential cloud opens to general availability. The cloud’s attestation chain, enclave build, and key-management code will receive an independent review prior to first customer onboarding.

We publish a transparency report on the same cadence as Mullvad and Proton (annual, plus an immediate report on any government-data-request event). The 2026 inaugural report will land alongside the cloud public beta.

Published documents

  • Published threat model : five named adversaries with posture, mechanism, and customer-verification path.
  • Working paper : the architecture, the case law, the references.
  • Dispatcher source : MIT, publishing in 2026. Build hashes will publish per release.

This page is a public commitment. We revise it when our posture changes, with the revision date stamped here. Revision: 2026-06-02.