Security disclosure

Vulnerability Disclosure Program

CrewAI takes the security of our platform seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly. Please use the form below to submit your report — our security team reviews every submission.

Scope

  • In scope: app.crewai.com (enterprise SaaS), crewAIInc/crewAI open-source repository
  • Out of scope: Third-party services, social engineering attacks, physical attacks, denial-of-service, automated scanning without prior approval

What to Include

  • Clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Screenshots, videos, or proof-of-concept code where applicable
  • The affected URL, parameter, or component

Safe Harbor

CrewAI will not pursue legal action against researchers who discover and report security vulnerabilities in good faith and in accordance with this policy. We ask that you do not access, modify, or delete user data; do not degrade service availability; and keep your findings confidential until we've had a reasonable opportunity to address them.