Legal · Last updated 21 May 2026
Security & Responsible Disclosure
Our users trust us with credentials, résumés, and Gmail access. If you find a flaw that puts that trust at risk, we want to know — and we'll pay you for it.
1. How to report
Email security@axelhired.com with reproduction steps, a clear impact statement, and any tools or scripts you used. PGP is fine but not required. We reply within 24 hours, Indian working hours.
2. In scope
*.axelhired.comproduction surfaces- The AxelHired Chrome extension
- The CLI client
- Our API endpoints under
/api/ - The Hetzner worker fleet, where the issue is exploitable from outside the VPC
3. Out of scope
- Findings on third-party platforms we apply to (Naukri, LinkedIn, Workday, etc.). Report those to the platform.
- Theoretical issues without a reproducible exploit.
- Self-XSS, clickjacking on non-sensitive routes, missing best-practice headers without a concrete impact.
- Spam, social engineering of staff, or denial-of-service.
- Anything requiring physical access to the user's device or compromised credentials we did not issue.
4. Bounty bands
Pre-launch ranges. These are minimums — we pay above the band for novel or chained issues.
- ₹50,000+
- Critical. RCE on a worker, vault master-key disclosure, cross-tenant Vault read, account takeover at scale.
- ₹15,000+
- High. Cross-tenant data read, stored XSS on an authenticated surface, auth bypass on a per-user endpoint.
- ₹5,000+
- Medium. Information disclosure of non-credential PII, CSRF on a state-changing route, billing manipulation in a single account.
- ₹1,000+
- Low.Lower-severity issues we'd still want to fix. Acknowledgement + payout.
5. Safe-harbour
Good-faith research under this policy will not be referred to law enforcement. We will not pursue civil action against you provided you:
- Limit your testing to your own test accounts.
- Avoid accessing or modifying other users' data beyond what is strictly necessary to demonstrate the issue.
- Do not publish or share the issue before we've had a reasonable chance to remediate (typically 90 days).
- Do not run destructive tests, automated scanners, or DoS-class attacks against production.
6. Hall of acknowledgements
Researchers who have helped harden AxelHired will be listed here with their permission. The list is empty today — be first.
Related: AI Disclosure · Privacy · Terms