Report a Security Vulnerability

What to Report

• Authentication or authorization bypass
• Data exposure — access to other users' data or sessions
• Cross-site scripting (XSS) in E2LLM web properties
• Server-side request forgery (SSRF) in the MCP relay
• Extension security — code injection, privilege escalation
• Session hijacking or token leakage
• Any vulnerability that could compromise user data or system integrity

What to Include in Your Report

• Detailed description of the vulnerability
• Steps to reproduce (as detailed as possible)
• Affected product and version (Extension v.X.X, MCP Relay, Website)
• Potential impact assessment
• Proof of concept (if available)
• Your preferred contact method and whether you'd like credit

Our Response Timeline

Safe Harbor

We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, data destruction, and disruption of service
• Only interact with accounts they own or have explicit permission to test
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
• Report vulnerabilities to us before disclosing them publicly
• Allow reasonable time for remediation before public disclosure

Out of Scope

• Vulnerabilities in third-party services (Paddle, Keycloak, identity providers)
• Social engineering or phishing attacks against E2LLM staff
• Denial of service (DoS/DDoS) attacks
• Vulnerabilities in websites accessed by end users through E2LLM
• Issues that require physical access to a user's device
• Automated scanning output without demonstrated impact

DMCA Copyright Notices

If you believe content stored or transmitted through E2LLM services infringes your copyright, you may submit a notice to our designated DMCA agent.

Your notice must include:

• Identification of the copyrighted work you believe has been infringed
• Identification of the material you believe is infringing and sufficient information to locate it
• Your contact information (name, address, telephone, email)
• A statement that you have a good-faith belief the use is not authorized
• A statement under penalty of perjury that the information in the notice is accurate and that you are the copyright owner or authorized to act on their behalf
• Your physical or electronic signature

Designated Agent: Alexey Sokolov, S2 Tikshuv Ltd, 1521 Concord Pike, Ste 301 #242, Wilmington, DE 19803