Rensei

Responsible disclosure.

If you have found a security issue in Rensei, please tell us before the rest of the internet. This page documents how to report, what we commit to in return, and the safe-harbor terms under which we welcome research. It is part of the security disclosure.

01 · HOW TO REPORT

One inbox, one ack window.

Email
security@rensei.ai with a description of the vulnerability, reproduction steps, and any supporting artifacts.
Encryption
For sensitive details, request our PGP key in your initial mail and we will reply with the current fingerprint. Plain email is acceptable for the first contact.
Discovery
The same contact is published in machine-readable form at /.well-known/security.txt per RFC 9116.

02 · COMMITMENTS

Timelines and credit.

  • Acknowledgment within 48 hours. A real human replies. Weekends and holidays may add a day.
  • Triage within 5 business days. We confirm scope, severity, and whether the issue is in active remediation already.
  • Status updates every 14 days until the report is resolved, rejected, or accepted as a documented risk.
  • Public credit on resolution if the reporter wants it. Credit appears in the changelog of the release that ships the fix, with name and link the reporter provides.
  • No bug bounty at this stage. Rensei is pre-revenue; cash rewards are not currently offered. This may change once the platform lands paying customers.

03 · SCOPE

What is in scope.

In scope

  • rensei.ai and any subdomain we operate
  • app.rensei.ai (Rensei Platform)
  • The open-source donmai runtime at github.com/RenseiAI/donmai
  • The audit-chain verification protocol and discovery manifest
  • Authentication, authorization, policy enforcement, audit integrity

Out of scope

  • Third-party LLM provider responses (report to the provider)
  • Third-party dependencies (report to the upstream maintainer)
  • Social-engineering attacks against Rensei staff
  • Denial-of-service via volumetric traffic
  • Customer-managed deployments outside Rensei's operational scope

04 · SAFE HARBOR

We will not pursue research conducted in good faith.

Research conducted under this policy is considered authorized, will not result in legal action initiated by us, and is exempt from any restrictions in our terms of service that would otherwise prohibit it.

The conditions: stay within the in-scope assets above, do not access or modify data you do not own, do not run automated scans that disrupt service, give us reasonable time to remediate before any public disclosure, and follow applicable laws.

If you are unsure whether a planned test is in scope, email us first: security@rensei.ai.

05 · ACCOUNTABILITY

Who owns this.

Until a dedicated security lead is named, the disclosure inbox is read and triaged by Mark Kropf, founder. Reports are tracked in an internal queue. Every report receives a human reply within the acknowledgment window above.

When a dedicated security lead is engaged (a named external advisory firm, a fractional CISO, or a full-time hire), this page will name the lead and the escalation path.

How reporter data is handled

Reports live in the disclosure inbox and the internal triage queue, with access restricted to the triage owner named above. Report contents are retained for two years after resolution, then deleted. Reporter identity is shared outside triage only with the reporter's consent, including for the public credit offered on resolution.