Responsible Disclosure

At WorkOS, security is our highest priority. We recognize that skilled security researchers play a crucial role in identifying and addressing potential vulnerabilities. If you believe you have discovered a security issue with our services, we encourage you to report it to us. We are committed to working with you to resolve the issue promptly and effectively and will provide a monetary reward for high and critical findings.

How to Report a Vulnerability

  • Contact Us: Email us at security@workos.com with details of the vulnerability. We will acknowledge receipt of your report within 2 business days and provide further instructions if necessary.
  • Provide Details: Include a clear description of the vulnerability, including steps to reproduce it, and any proof-of-concept materials if possible. This helps us understand and address the issue more efficiently.
  • Responsible Disclosure Timeline: Please allow us reasonable time to address and remediate the issue before disclosing it publicly or to third parties. We aim to resolve critical issues within one week of receipt.

Guidelines for Responsible Research

  • Avoid Harm: Do not violate privacy, destroy data, or disrupt WorkOS services. Limit your testing to domains you own or have explicit permission to test.
  • Respect Privacy: Ensure that your research does not compromise the privacy or security of other users, clients, or our infrastructure.
  • Prohibited Activities: Refrain from conducting Distributed Denial of Service (DDoS) attacks, brute-forcing credentials, spamming, social engineering, phishing, or targeting our physical property or data centers.

Feedback and Communication

  • Open Dialogue: We welcome feedback, questions, and suggestions. If you have any inquiries or require further clarification, please feel free to reach out to us.

Thank you for helping us maintain the security and integrity of the WorkOS platform.

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.