[{"id":3773845,"new_policy":"# IMPORTANT\n**Anthropic's vulnerability disclosure has moved to the** **[Anthropic Bug Bounty](https://hackerone.com/anthropic)** program. Please submit all reports there, or use the **[direct submission form](https://hackerone.com/4f1f16ba-10d3-4d09-9ecc-c721aad90f24/embedded_submissions/new?locale=en)**. This VDP program is no longer accepting submissions. Reports already submitted here will continue to be  triaged as before.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# IMPORTANT\n**Anthropic's vulnerability disclosure has moved to the** **[Anthropic Bug Bounty](https://hackerone.com/anthropic)** program. Please submit all reports there, or use the **[direct submission form](https://hackerone.com/4f1f16ba-10d3-4d09-9ecc-c721aad90f24/embedded_submissions/new?locale=en)**. This VDP program is no longer accepting submissions. Reports already submitted here will continue to be  triaged as before.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-07T19:23:18.583Z"},{"id":3773844,"new_policy":"# IMPORTANT\n**Anthropic's vulnerability disclosure has moved to the** **[Anthropic Bug Bounty](https://hackerone.com/anthropic)** program. Please submit all reports there, or use the **[direct submission form](https://hackerone.com/4f1f16ba-10d3-4d09-9ecc-c721aad90f24/embedded_submissions/new?locale=en)**. This VDP program is no longer accepting submissions. Reports already submitted here will continue to be  triaged as before.\n\n**Previous Text**\nThe security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAt Anthropic, our mission is to ensure artificial intelligence benefits humanity. Central to this mission is our commitment to the security and integrity of our systems, services, and the data entrusted to us by our users and partners. We've established this responsible disclosure program to collaborate with security researchers who help identify potential vulnerabilities in our systems.\n\nAs part of our mission to advance safe and responsible AI development across the industry, we actively encourage researchers to work with other AI organizations. If you discover a vulnerability that affects multiple AI services, please submit separate reports to each affected organization. This helps ensure that all impacted services can properly assess and address the vulnerability.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to modelbugbounty AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. NOTE: We fully support researchers' right to publicly disclose vulnerabilities they discover. We ask only to coordinate on the timing of such disclosures to prevent potential harm to our services, customers, and other parties. Researchers are free to report similar vulnerabilities in other services - we will never attempt to restrict such disclosures;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must validate all vulnerabilities and provide a working proof of concept with your submission. False positive and/or theoretical reports from automated scanners or written by AI will be closed as \"Not  Applicable\" at Anthropic's discretion; \n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n- By submitting a report, you represent that you are the rightful author of the underlying work and grant Anthropic full rights to use the vulnerability report data (including sharing details with third-parties as needed) to address any vulnerabilities. \n\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible. Finally, you can expect us to collaborate expeditiously with you to support timely and safe disclosure of your findings.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# IMPORTANT\n**Anthropic's vulnerability disclosure has moved to the** **[Anthropic Bug Bounty](https://hackerone.com/anthropic)** program. Please submit all reports there, or use the **[direct submission form](https://hackerone.com/4f1f16ba-10d3-4d09-9ecc-c721aad90f24/embedded_submissions/new?locale=en)**. This VDP program is no longer accepting submissions. Reports already submitted here will continue to be  triaged as before.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-07T19:21:56.153Z"},{"id":3773843,"new_policy":"# IMPORTANT\n**Anthropic's vulnerability disclosure has moved to the** **[Anthropic Bug Bounty](https://hackerone.com/anthropic)** program. Please submit all reports there, or use the **[direct submission form](https://hackerone.com/4f1f16ba-10d3-4d09-9ecc-c721aad90f24/embedded_submissions/new?locale=en)**. This VDP program is no longer accepting submissions. Reports already submitted here will continue to be  triaged as before.\n\n\nThe security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAt Anthropic, our mission is to ensure artificial intelligence benefits humanity. Central to this mission is our commitment to the security and integrity of our systems, services, and the data entrusted to us by our users and partners. We've established this responsible disclosure program to collaborate with security researchers who help identify potential vulnerabilities in our systems.\n\nAs part of our mission to advance safe and responsible AI development across the industry, we actively encourage researchers to work with other AI organizations. If you discover a vulnerability that affects multiple AI services, please submit separate reports to each affected organization. This helps ensure that all impacted services can properly assess and address the vulnerability.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to modelbugbounty AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. NOTE: We fully support researchers' right to publicly disclose vulnerabilities they discover. We ask only to coordinate on the timing of such disclosures to prevent potential harm to our services, customers, and other parties. Researchers are free to report similar vulnerabilities in other services - we will never attempt to restrict such disclosures;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must validate all vulnerabilities and provide a working proof of concept with your submission. False positive and/or theoretical reports from automated scanners or written by AI will be closed as \"Not  Applicable\" at Anthropic's discretion; \n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n- By submitting a report, you represent that you are the rightful author of the underlying work and grant Anthropic full rights to use the vulnerability report data (including sharing details with third-parties as needed) to address any vulnerabilities. \n\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible. Finally, you can expect us to collaborate expeditiously with you to support timely and safe disclosure of your findings.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"# IMPORTANT\n**Anthropic's vulnerability disclosure has moved to the** **[Anthropic Bug Bounty](https://hackerone.com/anthropic)** program. Please submit all reports there, or use the **[direct submission form](https://hackerone.com/4f1f16ba-10d3-4d09-9ecc-c721aad90f24/embedded_submissions/new?locale=en)**. This VDP program is no longer accepting submissions. Reports already submitted here will continue to be  triaged as before.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-07T19:20:56.023Z"},{"id":3770070,"new_policy":"The security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAt Anthropic, our mission is to ensure artificial intelligence benefits humanity. Central to this mission is our commitment to the security and integrity of our systems, services, and the data entrusted to us by our users and partners. We've established this responsible disclosure program to collaborate with security researchers who help identify potential vulnerabilities in our systems.\n\nAs part of our mission to advance safe and responsible AI development across the industry, we actively encourage researchers to work with other AI organizations. If you discover a vulnerability that affects multiple AI services, please submit separate reports to each affected organization. This helps ensure that all impacted services can properly assess and address the vulnerability.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to modelbugbounty AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. NOTE: We fully support researchers' right to publicly disclose vulnerabilities they discover. We ask only to coordinate on the timing of such disclosures to prevent potential harm to our services, customers, and other parties. Researchers are free to report similar vulnerabilities in other services - we will never attempt to restrict such disclosures;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must validate all vulnerabilities and provide a working proof of concept with your submission. False positive and/or theoretical reports from automated scanners or written by AI will be closed as \"Not  Applicable\" at Anthropic's discretion; \n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n- By submitting a report, you represent that you are the rightful author of the underlying work and grant Anthropic full rights to use the vulnerability report data (including sharing details with third-parties as needed) to address any vulnerabilities. \n\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible. Finally, you can expect us to collaborate expeditiously with you to support timely and safe disclosure of your findings.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-23T16:24:33.401Z"},{"id":3764245,"new_policy":"The security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAt Anthropic, our mission is to ensure artificial intelligence benefits humanity. Central to this mission is our commitment to the security and integrity of our systems, services, and the data entrusted to us by our users and partners. We've established this responsible disclosure program to collaborate with security researchers who help identify potential vulnerabilities in our systems.\n\nAs part of our mission to advance safe and responsible AI development across the industry, we actively encourage researchers to work with other AI organizations. If you discover a vulnerability that affects multiple AI services, please submit separate reports to each affected organization. This helps ensure that all impacted services can properly assess and address the vulnerability.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to modelbugbounty AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. NOTE: We fully support researchers' right to publicly disclose vulnerabilities they discover. We ask only to coordinate on the timing of such disclosures to prevent potential harm to our services, customers, and other parties. Researchers are free to report similar vulnerabilities in other services - we will never attempt to restrict such disclosures;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n- By submitting a report, you represent that you are the rightful author of the underlying work and grant Anthropic full rights to use the vulnerability report data (including sharing details with third-parties as needed) to address any vulnerabilities. \n\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible. Finally, you can expect us to collaborate expeditiously with you to support timely and safe disclosure of your findings.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-07T00:03:19.824Z"},{"id":3750292,"new_policy":"The security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAt Anthropic, our mission is to ensure artificial intelligence benefits humanity. Central to this mission is our commitment to the security and integrity of our systems, services, and the data entrusted to us by our users and partners. We've established this responsible disclosure program to collaborate with security researchers who help identify potential vulnerabilities in our systems.\n\nAs part of our mission to advance safe and responsible AI development across the industry, we actively encourage researchers to work with other AI organizations. If you discover a vulnerability that affects multiple AI services, please submit separate reports to each affected organization. This helps ensure that all impacted services can properly assess and address the vulnerability.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to modelbugbounty AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. NOTE: We fully support researchers' right to publicly disclose vulnerabilities they discover. We ask only to coordinate on the timing of such disclosures to prevent potential harm to our services, customers, and other parties. Researchers are free to report similar vulnerabilities in other services - we will never attempt to restrict such disclosures;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible. Finally, you can expect us to collaborate expeditiously with you to support timely and safe disclosure of your findings.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-14T18:22:39.792Z"},{"id":3743007,"new_policy":"The security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAnthropic (the “Company”, “we”, “our”, or “us”) is committed to ensuring the ongoing security and confidentiality of its information systems and customer information. This Responsible Disclosure Policy (this “Policy”) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and our recommended procedures for reporting potential vulnerabilities to us.\n\nWe recognize and appreciate that security researchers (“you”, “your”, “yours”) regularly contribute to the effort of securing information systems, including ours. Therefore, we appreciate security researchers disclosing to us potential vulnerabilities on our Information Systems (as defined below) that are discovered in good faith in accordance with this Policy.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to modelbugbounty AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to any third party or to the public until you have received prior written approval from us;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-25T18:17:18.231Z"},{"id":3740627,"new_policy":"The security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAnthropic (the “Company”, “we”, “our”, or “us”) is committed to ensuring the ongoing security and confidentiality of its information systems and customer information. This Responsible Disclosure Policy (this “Policy”) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and our recommended procedures for reporting potential vulnerabilities to us.\n\nWe recognize and appreciate that security researchers (“you”, “your”, “yours”) regularly contribute to the effort of securing information systems, including ours. Therefore, we appreciate security researchers disclosing to us potential vulnerabilities on our Information Systems (as defined below) that are discovered in good faith in accordance with this Policy.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to usersafety AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You will use your `@wearehackerone.com` email address when creating any accounts for the purpose of testing and add a `X-HackerOne-Handle: \u003cyour handle\u003e` to your requests;\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to any third party or to the public until you have received prior written approval from us;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-27T14:51:30.718Z"},{"id":3737764,"new_policy":"The security of our systems and user data is Anthropic’s top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.\n\n## Purpose\n\nAnthropic (the “Company”, “we”, “our”, or “us”) is committed to ensuring the ongoing security and confidentiality of its information systems and customer information. This Responsible Disclosure Policy (this “Policy”) is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and our recommended procedures for reporting potential vulnerabilities to us.\n\nWe recognize and appreciate that security researchers (“you”, “your”, “yours”) regularly contribute to the effort of securing information systems, including ours. Therefore, we appreciate security researchers disclosing to us potential vulnerabilities on our Information Systems (as defined below) that are discovered in good faith in accordance with this Policy.\n\n## Scope of Systems\n\nThis Policy covers all internet-facing information systems, applications, or websites owned, operated, or controlled by us, including any web or mobile applications hosted on those websites, including the Anthropic domain and related subdomains (collectively, “Information Systems”).\n\nThis Policy also does not cover any information systems, websites, or applications that are owned, operated, or controlled by any third party, including any service provider or contractor to the Company, even where under an Anthropic domain. You should comply with the responsible disclosure efforts for those other systems, websites, and applications.\n\n## Scope of Vulnerabilities\n\nThis Policy covers technical vulnerabilities that potentially exist on our Information Systems such as misconfigurations, CSRFs or cross site request forgeries, privilege escalation attacks, SQL Injection, XSS, and directory traversal attacks.\n\nThis Policy excludes the following vulnerabilities, subject to Anthropic’s discretion:\n\n- general security, email best practices, or missing best practices in SSL/TLS configurations without a working proof-of-concept,\n- physical compromise or intrusions,\n- rate limiting or brute-force issues on non-authenticated endpoints,\n- compromises involving an insider,\n- social engineering (including phishing attempts),\n- reflected file downloads,\n- account takeovers (including any brute force attacks on accounts that are not yours),\n- red-teaming, adversarial testing of our models,\n- content issues with model prompts and responses,\n- denial of service attacks,\n- clickjacking on pages with no sensitive actions,\n- missing HttpOnly or Secure flags on cookies,\n- dependency hijacking, or\n- any widely publicized zero-day vulnerabilities that have no patch or have only had a patch available for less than 30 days\n\nWe welcome reports concerning safety issues, “jailbreaks,” and similar concerns so that we can enhance the safety and harmlessness of our models. Please report such issues to usersafety AT anthropic DOT com with enough detail for us to replicate the issue.\n\n## Research Guidelines\n\nWhile we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:\n\n- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us;\n- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information - - Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities;\n- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability;\n- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent;\n- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report;\n- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to any third party or to the public until you have received prior written approval from us;\n- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own;\n- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Anthropic employee, contractor, or representative;\n- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner;\n- You must not be listed on the Specially Designated Nationals and Blocked Persons List as published by the U.S. Treasury Department of Office Foreign Assets Control (“OFAC”) or any other sanctions list, or reside in any country that has been sanctioned by the United States Government; and\n- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.\n\nIf you have any questions about this Policy or whether your research is consistent with these engagement guidelines, please contact disclosure AT anthropic DOT com\n\n## Your Expectations of Us\n\nAll good-faith reports will be taken seriously. Upon promptly and responsibly reporting any potential vulnerability you have discovered, you can expect us to promptly evaluate your findings. If we determine (at our sole discretion) that a vulnerability exists, you can expect us to validate the existence of the vulnerability, to confirm the same with you, and to promptly take appropriate steps to address, mitigate, or remediate the vulnerability to the extent feasible.\n\nIf you provide your contact information, our representatives may contact you for further information. Additionally, we will:\n\n- Protect your name and contact information and will not disclose such information without your consent, unless required by lawful legal process, law or court order;\n- Refrain from taking legal action as further set forth in the Safe Harbor section below;\n- With your permission, attribute your name and contribution on any public disclosure we make, to the extent we choose to make a public disclosure;\n- Acknowledge your submission within three (3) business days; and\n- Make best efforts to keep you updated and promptly complete our investigation and, if applicable, confirm our remediation strategy within an established timeline.\n\n## Safe Harbor\n\nIf you, in our sole determination, make a good faith effort to research and disclose vulnerabilities in accordance with this Policy and the above Research Guidelines, we will not pursue any legal action because of your research or responsible disclosure, subject to Anthropic’s compliance with applicable laws and legal obligations. To qualify for safe harbor, disclosures to us must be unconditional and may not involve extortion or threats.\n\n## Changes to this Policy\n\nWe reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-03T22:27:12.854Z"},{"id":3735198,"new_policy":"#Brand Promise\n\nAnthropic (VDP) looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n#Scope\n\nThis policy applies to any digital assets, owned, operated, or maintained by Anthropic (VDP), including public facing websites.\n\n#Out of Scope\n\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n* Social engineering of our employees or contractors, unless explicitly authorized.\n* Attacks against our physical facilities, unless explicitly authorized.\n* Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.\n* Attacks requiring disabling Man In The Middle (MITM) protections.\n* Attacks only affecting obsolete browsers or operating systems.\n* Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.\n* Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.\n* Open redirects, unless a significant impact can be demonstrated.\n* Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.\n* Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.\n* Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.\n* Issues that require unlikely user interaction by the victim.\n\n#Disclosure Policies\n\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Anthropic (VDP) and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-06T14:11:44.957Z"}]