Last updated: April 2026
Security is central to everything we build at Enravo. We value the work of security researchers and encourage responsible disclosure of vulnerabilities. If you believe you have found a security issue in any Enravo service, we want to hear from you.
This policy applies to all Enravo services, including the Enravo website, Enravo Core, Enravo Trust, Rakton products, APIs, and any related infrastructure.
Third-party services integrated with Enravo are not in scope. If you find an issue in a third-party component, please report it to the respective vendor.
Send your report to support@enravo.com. Encrypt your message using our PGP key if you prefer (available on request).
Include a clear description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code or screenshots.
Provide your contact information so we can follow up. We will acknowledge receipt within 48 hours.
Give us reasonable time to investigate and address the issue before making any public disclosure. We aim to resolve critical vulnerabilities within 14 days.
Do not access, modify, or delete data belonging to other users. Use test accounts and your own data when demonstrating vulnerabilities.
Do not perform denial-of-service attacks, social engineering, phishing, or physical security testing.
Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.
We will keep you informed about the progress of the fix and notify you when the issue is resolved.
We will not pursue legal action against researchers who follow this policy in good faith.
We will credit you publicly (if you wish) once the vulnerability is resolved, unless you prefer to remain anonymous.
Remote code execution, SQL injection, authentication bypass, authorization flaws, cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), and significant data exposure.
Vulnerabilities in the Guard Pipeline, PoP verification, device binding, policy engine, or app integrity mechanisms are of particular interest.
Issues that require unlikely user interaction, outdated browsers, or already-known vulnerabilities may not qualify.
Clickjacking on pages without sensitive actions.
Missing HTTP security headers that do not lead to a direct exploit.
Rate limiting or brute force issues on non-authentication endpoints.
Vulnerabilities in third-party services or dependencies that are already publicly disclosed.
Reports generated solely by automated scanning tools without manual verification.
We maintain a hall of fame for researchers who have responsibly disclosed valid vulnerabilities. If you would like to be recognized, let us know in your report.
We do not currently offer monetary bounties, but we are working toward a formal bug bounty program.
For security reports, contact us at support@enravo.com. For general questions about this policy, contact us at legal@enravo.com or through our contact page.