inis.run
Responsible Disclosure

Security Policy

We take the security of our virtualization and API isolation seriously. Learn how to report vulnerabilities or check our scope.

Reporting a Vulnerability

If you believe you have found a security vulnerability in inis.run, please report it immediately by email to security@inis.run. Do not open a public GitHub issue.

Include as much detail as you can: what you found, how to reproduce it, and any proof-of-concept you have prepared. We will acknowledge your report within 2 business days and keep you updated as we investigate.

In Scope

The following areas are in scope for security reports:

  • The inis.run API and its authentication/authorization logic.
  • Session isolation — any path by which code running in one session can observe or affect another session.
  • The preview URL ingress gateway (`*.preview.inis.run`).
  • The inis.run web application and its authentication flows.
  • Privilege escalation or unauthorized data access beyond what an API token should allow.
  • Secrets exposure (e.g., API tokens visible in logs or responses).

Out of Scope

The following are out of scope for our security response:

  • Denial of service that requires large volumes of requests (DDoS).
  • Social engineering or phishing of inis.run staff.
  • Vulnerabilities in third-party dependencies where a patch is not yet available upstream.
  • Issues that only affect deprecated or already-disabled features.
  • In-session behavior that is intentional (e.g., code inside a session has root by default — that is documented).

Safe Harbor

We will not pursue legal action against researchers who:

  • Report what they find to us promptly and in good faith.
  • Avoid accessing, modifying, or deleting data that is not theirs.
  • Do not disrupt service for other users.
  • Give us a reasonable window to fix the issue before disclosing it publicly.

We treat good-faith security research as a contribution and will credit you in the fix if you wish.

Response expectations

StepTarget Timeline
Acknowledgement2 business days
Initial assessment5 business days
Fix or mitigationDepends on severity (critical issues within 7 days where possible)

Contact: security@inis.run — for security issues only. For abuse reports, use abuse@inis.run.

Looking for how we isolate and handle your data? See the security overview.