Reporting a CVE
If you've found a malicious skill that SkillOx missed, or a vulnerability in SkillOx itself, we want to hear from you privately first. This page is the canonical disclosure contact.
When to report
- Malicious skill missed: a SKILL.md graded A/B/C/D by SkillOx that you can demonstrate is actually malicious
- Scanner bypass: a technique that hides a known attack pattern from our rules (e.g. encoding tricks that defeat the regex)
- SkillOx itself: a vulnerability in the API, web app, worker, or DB schema that would let an attacker exfiltrate data, escalate privileges, or cause sustained downtime
How to report
Email security@skillox.io with:
- A clear description of the issue
- A proof-of-concept (URL, scan ID, or repro steps)
- The impact — what an attacker could do
- Your preferred credit name (or "anonymous")
Encrypted reports: for sensitive issues, request our PGP key in the first message. We'll respond from the same address with the key fingerprint within 24h.
Our SLA
- Acknowledgement: within 48 hours
- Triage + severity assignment: within 5 business days
- Fix or mitigation: CRIT within 7 days, HIGH within 30 days, MED within 90 days
- Public disclosure: we publish a write-up after the fix ships and any affected users have been notified
Bug bounty
v0 does not have a paid bounty program — we're bootstrapped through Q1 2027. We do credit reporters on our security page (coming soon) and in the disclosure write-up. The community bug-bounty program launches soon alongside the threat-intel feed.
Out of scope
Reports about Cloudflare WAF false positives, browser quirks unrelated to security, rate-limit bypasses on the anonymous tier (the rate limit is best-effort), social engineering, or physical access to our infrastructure are all out of scope.